SAP Authorizations List of required organisational levels and their value

Direkt zum Seiteninhalt
List of required organisational levels and their value
Authorizations in SAP systems: what admins should look out for
Increasingly, it is possible to make use of automation in the security environment. Although these are not yet used by many companies, they are the next step in digital transformation. By using automation intelligently, companies can free up resources for the innovation topics that really matter. In the future, we can expect both the number and power of automation tools to increase. It is therefore only a matter of time before SAP itself also delivers optimized support in the form of tools as standard.

Like all other security issues, SAP authorizations must be integrated into the framework used. The risks associated with incorrectly assigned authorizations must be classified as very high. The definition of a holistic governance, risk and compliance management system is required. This ensures that risks are recorded, analyzed, evaluated, coordinated and forwarded within the company at an early stage. Accordingly, the risks arising from incorrectly assigned SAP authorizations or from a lack of a process for monitoring authorizations are also included here.
General authorizations
You will also notice that many tables have the table permission group &NC& assigned to them, and therefore differentiation over table permission groups over the S_TABU_DIS authorization object would not work at all. Furthermore, you cannot assign permissions to only individual tables in a table permission group using S_TABU_DIS. In such cases, the investigation shall continue: If the permission check on the S_TABU_DIS authorization object fails, the S_TABU_NAM authorization object is checked next. Allows you to explicitly grant access to tables by using the table name.

In most cases, customizing is performed using transaction SPRO. However, this is only the initial transaction for a very comprehensive tree structure of further maintenance transactions. Most customizing activities, however, consist of indirect or direct maintenance of tables. Therefore, a random check of the authorization structure in this environment can be reduced to table authorizations. In the case of delimited responsibilities within customizing (e.g. FI, MM, SD, etc.), attention should therefore be paid here to an appropriate delimitation within the table authorizations. Independent of assigned transaction authorizations within customizing, a full authorization on table level combined with a table maintenance transaction such as SM30 practically corresponds to a full authorization in customizing. Normal customizing by user departments generally refers to client-specific tables. Access to system tables should therefore be restricted to basic administration if possible.

Authorizations can also be assigned via "Shortcut for SAP systems".

Understanding the structure and functioning of the system is especially important for IT administration. It is not for nothing that "SAP Basis Administrator" is a separate professional field. On the page www.sap-corner.de you will find useful information on this topic.


In this step, the data of the transaction SU22 of the new release will be transferred to the transaction SU24.

The freeware Scribble Papers is a "note box" in which all kinds of data can be stored. It takes in typed texts as well as graphics and entire documents. The data is then organised in folders and pages.


It's never too late to rethink your authorization concept.
Zurück zum Seiteninhalt