A concept for SAP authorizations prevents system errors and DSGVO violations
Even if key users (department users/application support) do not have to develop their own authorization objects and cooperation with SAP Basis is always advantageous, there are often technical questions such as "Which users have authorization to evaluate a specific cost center or internal order?
Once the programme implementation and documentation have been completed, a functional test will always follow. A corresponding eligibility test should not be forgotten. The permission test must include both a positive and a negative permission test.
Armed with this information, it goes to the conceptual work. Describe which employee groups, which organisational units use which applications and define the scope of use. In the description, indicate for which organisational access (organisational level, but also cost centres, organisational units, etc.) the organisational unit per application should be entitled; So what you're doing is mapping out the organisation. It is also important to note which mandatory functional separation must be taken into account. This gives you a fairly detailed description, which in principle already indicates business roles (in relation to the system).
Copy values from the Clipboard to the transaction's PFCG permission fields
Access to this data is critical, since the hash values can possibly be decrypted using tools, thus enabling unauthorized logon to the SAP system. Since identical passwords are often used for different systems, the determined password may also be usable for downstream systems. The current or former hash values of the passwords are stored in the tables USR02, USH02, USRPWDHISTORY, USH02_ARC_TMP, VUSER001 and VUSR02_PWD. These tables can be accessed either via classic table access transactions such as SE16 or via database administration transactions such as DBACOCKPIT. The authorizations required for table access via database tools depend on the respective system configuration and should be verified via an authorization trace (transaction STAUTHTRACE), if necessary.
Since 2001, SAP has been working with the German-speaking SAP user group (DSAG e. V.) Model rolls for tax inspectors developed and revised over the years. The role definition reflects an interpretation of the DSAG of the concept of tax-relevant data.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
If you want to get more information about SAP basis, visit the website www.sap-corner.de.
Often, the remixing of the respective roles is also forgotten.
So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.
Suggested values are maintained in the transaction SU24 and delivered through the transaction SU22.