SAP Authorizations Important components in the authorization concept

Direkt zum Seiteninhalt
Important components in the authorization concept
The Anatomy of SAP Authorization or Documentation on SAP Authorization Objects and Authorization Field Values
Initial passwords for standard users are extremely risky because they are published. Make sure that this vulnerability does not exist in your system landscape. An SAP system is always shipped with certain standard users or they are automatically set up for the transport management system, for example. These default users use initial passwords that are well known. Close this vulnerability by changing the passwords and protecting the default users from unauthorised use. In this tip we will show you how you can clarify the status of your standard users' passwords and give you recommendations on the settings of your profile parameters.

Another function of this transaction is to find transactions based on generic table access transactions. Here you can check whether there are parameter or variant transactions for a given table, or for a particular view, for which you can set up permissions, instead of allowing access to the table through generic table access tools. If a search result is generated, you can even search for roles that have permissions for the selected alternative applications. To do this, click the Roles button (Use in Single Roles). When using this tool, make sure that even if applications have the same startup properties, there may be different usage characteristics, such as SU22 and SU24 transactions. Both transactions have the same start properties, but are used for different purposes and display different data.
Permissions objects already included
You can also evaluate the application log through the SLG1 (ATAX object) transaction; the output of the report CA_TAXLOG seems more useful here. Finally, we have some important information for you: There are individual programmes that can be used read-only, but also offer options for updates to the database. In these cases, additional logic was implemented (e.g. in SAP Note 925217 to the RFUMSV00 programme for the sales tax pre-reporting). Action log data can be accessed via the transaction SLG2 (Object: ATAX) (see also SAP Note 530733). If you want to customise for the annual permissions directly in the production system (so-called "current setting"), the SAP Note 782707 describes how to do this. Basic information about Current Settings is provided in SAP Notes 135028 and 356483. SAP Note 788313 describes in detail the functional components of the time-space test and the additional logging and also serves as a "cookbook" to use in customer-specific developments. How you can prevent access to the SAP menu and only show the user menu to the user, we described in Tip 47, "Customising User and Permissions Management".

Armed with this information, it goes to the conceptual work. Describe which employee groups, which organisational units use which applications and define the scope of use. In the description, indicate for which organisational access (organisational level, but also cost centres, organisational units, etc.) the organisational unit per application should be entitled; So what you're doing is mapping out the organisation. It is also important to note which mandatory functional separation must be taken into account. This gives you a fairly detailed description, which in principle already indicates business roles (in relation to the system).

However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".

SAP Basis is the foundation of any SAP system. You can find a lot of useful information about it on this page: www.sap-corner.de.


These are assigned via specific groups, which in addition to the normal authorizations (such as create, change, display cost centers) also assign access to the appropriate FIORI Apps.

The freeware Scribble Papers is a "note box" in which all kinds of data can be stored. It takes in typed texts as well as graphics and entire documents. The data is then organised in folders and pages.


To maintain the missing suggestion values, you can start the trace here by clicking on the button Trace.
Zurück zum Seiteninhalt