Ensuring secure administration
Centrally view user favourites
You can do this by using the P_ABAP authorization object to override the usual permission checks. This applies to all reports that access the logical database PNPCE (or PNP). In case of a P_ABAP permission, the usual checks for authorization objects, such as P_ORGIN or P_ORGINCON, will no longer take place or will be simplified. This also applies to structural permissions. Whether the permission checks are simplified or completely switched off is controlled by the COARS field of the object. To disable all checks, set the value COARS = 2. This value does not limit the data displayed in the legitimate report. If you want to allow advanced permissions for reporting, but you do not want them to be unrestricted, you must select COARS = 1. In this case, you will also designate the P_ORGIN (or P_ORGINCON, P_ORGXX and P_ORGXXCON) authorization object. However, you must be careful not to mark all fields of the objects, otherwise direct access is also possible. Therefore, always write two versions of the P_ORGIN authorization object, one with the functional permissions (permission levels, info types, and subtypes), and one with the organisational boundaries (personnel area, employee group, employee group, and organisation keys). In addition, you will of course need a P_ABAP for the relevant reports with the value COARS = 1.
The requirements in the third example to filter the Post Journal Display (transaction FAGLL03) can be implemented using the BAdIs FAGL_ITEMS_CH_DATA. Depending on the permissions granted, certain items or documents should be excluded from display. You can see the definition of BAdIs through the SE18 transaction, and in the SE19 transaction you create an implementation of the BAdIs in the Customer Name Room.
Preventing sprawl with the workload monitor
Make sure that reference users are assigned minimal permissions to avoid overreaching dialogue user permissions. There should be no reference users with permissions that are similar to the SAP_ALL profile.
If you now want to assign PFCG roles indirectly to users via the organisation management, you have to use evaluation methods. Evaluation paths define a chain of relationships between objects within a hierarchy. For example, they define how an organisational unit or a post can be assigned to another organisational unit. This relationship is set to the User ID. However, if the business partner has also been maintained in organisational management, there is no standard evaluation path for this case and the user assigned to the role is not found. However, since in SAP CRM the user IDs are not directly assigned to a post, but via the business partner, you have to make adjustments to the evaluation paths before you can assign the roles indirectly.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
Understanding the structure and functioning of the system is especially important for IT administration. It is not for nothing that "SAP Basis Administrator" is a separate professional field. On the page www.sap-corner.de you will find useful information on this topic.
The SAP authorization concept protects transactions, programs, services and information in SAP systems against unauthorized access.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
With the help of the SUSR_ZBV_GET_RECEIVER_PROFILES report, you can turn on the new functionality in all subsidiary systems where the correction information has also been recorded.