Authorization concepts - advantages and architecture
Authorization objects of the PFCG role
Set a specific acronym or character to indicate whether your role has critical accesses so that separate assignment or approval rules can be observed for such roles. Define here what"critical"means for your project. Do you only want to identify permissions that are critical to the operation of the SAP system, or business-critical processes? Also define the consistency that has a critical role to play in the assignment to the user.
Today we come to the error analysis with authorizations. The best thing that can happen is the error of the type: "I don't have authorization to do this and that!" (CASE1). Worse is the case that someone has too many permissions, i.e. the type: "User xy should not have this permission anymore" (CASE2). How to proceed? First of all we come to case 1 This case, that someone has no authorization for something, supports the system excellently! The code word is SU53! If a transaction encounters an authorization error, then this error is written to a memory area that can be displayed. For this there is once the transaction SU53 or the menu selection "System/Utilities/Anc authorization check". With this function, the system outputs information showing which authorization objects are missing for the user.
Map roles through organisational management
Authorization tools are a great help in designing a highly automated compliance management system that precisely fits the company's own requirements. The introduction of authorization tools takes some time, but should nevertheless be tackled by companies in order to increase efficiency in the long term and save costs at the same time.
Access to tables and reports should be restricted. A general grant of permissions, such as for the SE16 or SA38 transaction, is not recommended. Instead, parameter or report transactions can help. These transactions allow you to grant permissions only to specific tables or reports. You can maintain secondary authorization objects, such as S_TABU_NAM, in the Sample Value Care.
Authorizations can also be assigned via "Shortcut for SAP systems".
Understanding the structure and functioning of the system is especially important for IT administration. It is not for nothing that "SAP Basis Administrator" is a separate professional field. On the page www.sap-corner.de you will find useful information on this topic.
Not only does the transaction need to be started by the S_TCODE authorization object, but the following conditions must also be met: For certain transactions, there are additional permission checks that are performed before the transaction starts.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
However, it is crucial to justify this in a comprehensible manner.