SAP Authorizations Assignment of critical authorizations and handling of critical users

Direkt zum Seiteninhalt
Assignment of critical authorizations and handling of critical users
Perform upgrade rework for Y landscapes permission proposal values
SAP authorizations control the access options of users in an SAP system, for example to personal data. Managing this access securely is essential for every company. This makes authorization concepts, authorization tools and automated protection of the SAP system all the more important.

Once you have defined your criteria for executing the report, you can create different variants for the report and schedule corresponding jobs to automatically lock down or invalidate the inactive users. If you want to start the report in a system that is connected to a Central User Management, you should consider the following points: You can only set local user locks. You can set the validity period only if the maintenance is set to Local in the settings of the Central User Management (this setting is set in the SCUM transaction).
Use application search in transaction SAIS_SEARCH_APPL
All external services with their suggested values can be viewed or maintained in the transaction SU24. Access to external services or all CRM functions and data within CRM functions is realised via PFCG roles. To create these PFCG roles, you must first create a role menu. To do this, run the report CRMD_UI_ROLE_PREPARE. You can specify either the name of the CRM Business Role (User Role) or the name of the assigned PFCG role. It is also important that you specify the language in which the PFCG role will be maintained in the appropriate field.

The path with the associated permission group DEVL contains the local temporary files of the ABAP Frontend Editor of the ABAP development environment (transactions SE38, SE80, SE24, etc.). The two paths with the ADMN permission group show how logically related paths can be grouped into a S_PATH permission check. The two entries with the FILE permission group show how paths for Windows can be completed in systems with application servers of different operating systems. The core.sem and coreinfo entries are required to write run-time errors in the SNAP snapshot table. The dev_ and gw_ entries allow you to view files from the developer trace and Gateway Log in the ST11 transaction. If the suggestion in the first entry of the table is too restrictive, you can choose the alternative in the following table. This entry only forces a permission check on S_PATH and the ALL permission group; You should, however, only grant such permission very restrictively.

Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.

If you want to get more information about SAP basis, visit the website www.sap-corner.de.


You may have seen that a screenshot from the SU53 transaction shows a missing permission for typical base authorization objects, such as S_ADMI_FCD, S_CTS_ADMI, or S_TRANSLAT, but you know that your check has nothing to do with the actual permissions problem in the application.

The freeware Scribble Papers is a "note box" in which all kinds of data can be stored. It takes in typed texts as well as graphics and entire documents. The data is then organised in folders and pages.


Have you ever wondered who has critical permissions in your system? Have you lacked the tool and approach to identify these users? The user system in an SAP system is always connected to a permission assignment.
Zurück zum Seiteninhalt