SAP Authorizations Custom requirements

Direkt zum Seiteninhalt
Custom requirements
Adjust tax audit read permissions for each fiscal year
Which users have a specific role (PFCG)? To answer this question you start with the transaction PFCG - the mother of all transactions in the environment of SAP roles and authorizations. Select a role and click on the "Users" tab.

If you do not encrypt communication between the client and the application servers, it is surprisingly easy for a third party to catch the username and password. Therefore, make sure you encrypt this interface! There is often uncertainty as to whether the password in SAP systems is encrypted by default and whether there is encryption during communication between the client and application servers by default. This ignorance can lead to fatal security vulnerabilities in your system landscape. We would therefore like to explain at this point how you can secure the passwords in your system and protect yourself against a pick-up of the passwords during transmission.
Permissions checks
In the SU53 you get the entry of the user that is stored there, and this may be old. So it is better to let the user himself display the authorization error via the menu. Maybe you create a small docu for all your users how to display the error and where to send it, so a "Cooking Recipe: How To...". In the SU53 error excerpt, the first thing that is displayed is the authorization that the user is missing. So this object has to be analyzed. In the further part of the error message, the permissions assigned to the user are displayed. This information can be used to classify the user with his role set, where he belongs etc. Finally, in our case 1, we now have the missing authorization and must now clarify whether the user should receive this authorization or not. In addition the specialist department must be contacted, which has to decide whether the user receives the permission! It can happen that the problem reported by the user is not an authorization problem at all. Then the last authorization error is displayed in the SU53 area, which is not the cause of the error at all. Therefore, it is always good to have a screen image of the actual error message sent to you as well. It is not uncommon for developers to issue an authorization error of the type "No authorization for..." from their programs, but they have not checked this with a standard authorization check at all, so that the error is not an actual authorization error.

Since a role concept is usually subject to periodic changes and updates, e.g. because new functions or modules are introduced or new organisational values are added, role names should be designed in such a way that they can be expanded. Therefore, in the next step, define the useful criteria you need in your role name.

Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.

SAP Basis is the foundation of any SAP system. You can find a lot of useful information about it on this page: www.sap-corner.de.


This function block not only responds to a missing permission when the programme starts, but can also specify that only the NO-CHECK check marks maintained in the transaction SE97 allow external calling from another transaction context.

To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.


The sample function module BTE for the event 1650 can be found in the FIBF transaction in the area of Publish-&-Subscribe interfaces (Environment > Information System (P/S)).
Zurück zum Seiteninhalt