Our offer
Advantages of authorization tools
In the area of group consolidation, an authorization concept ensures that no data can be deliberately manipulated, for example to change balance sheets. This can prevent significant financial or reputational damage to banks and stakeholders. Furthermore, access to financial data of subdivisions of a group, such as individual business units or companies, must be restricted to those employees who are allowed to access it because their current activities require it. As a result, a controller of a business unit, for example, can only view the consolidated figures of his business unit, but not the figures of the entire group. Further authorization roles are required, for example, for external auditors. These auditors check all the figures for the entire group, but may only have read access to this data.
In everyday role maintenance, you often have to change the permission data of a single role again after you have already recorded the role in a transport order along with the generated permission profiles. In this case, you have previously had to create a new transport order because the table keys of the generated profiles and permissions are also recorded for each individual role record, but are not adjusted for subsequent changes in the role data.
Authorization concepts - advantages and architecture
Finally, the check logic provides for a row-level check within a table if you want to restrict access to the table contents depending on an organisational mapping. For example, if you want a user to view only the data from a table that affects the country where their work location is located, you must configure it accordingly. To do this, you define and activate organisation-relevant fields as an organisational criterion (see Tip 62, "Organisationally restrict table editing permissions"). To keep track of which users can access which tables, run the SUSR_TABLES_WITH_AUTH report. This report provides information about which user or single role has the S_TABU_DIS or S_TABU_NAM authorization objects. The result list shows all the authorised tables, their permissions, and their permission values.
Native or analytical tiles: These tiles work exclusively in the FIORI interface and are adapted to the new technology. Here, for example, push messages are displayed on the tile, or key figures, diagrams, etc. are displayed, which can then be processed directly with a click. These tiles do not have direct GUI access, or cannot be used directly in the GUI environment. As mentioned above, access to these tiles is provided in a so-called front-end system via corresponding catalogs and groups. However, the underlying conceptual permissions (who is allowed to do what within the functionality of the tile) follows the same processes as in the "old world" for transaction access. The tile in the front-end needs here corresponding dependent distinctive authorizations (keyword: SU24 adjustment). In the back-end system, then again - analogous to the "old" world - about a role, which is built in the profile generator and maintained on object and field level, or set. Of course, topics such as updating internal and third-party tools, integrating cloud solutions, modern hybrid infrastructures, defining and operating ongoing dynamic changes, etc. must also be taken into account here.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
Understanding the structure and functioning of the system is especially important for IT administration. It is not for nothing that "SAP Basis Administrator" is a separate professional field. On the page www.sap-corner.de you will find useful information on this topic.
Conversely, you cannot use an existing transaction role in the menu as a customising role.
The freeware Scribble Papers puts an end to the confusing paper chaos. The tool is also suitable for storing, structuring and quickly finding text documents and text snippets of all kinds in addition to notes.
When you save permission proposal values in transport orders, you will notice that generic entries are used instead of detailed BOMs. These generic entries mark all applications, for example, with TR*..