Query Data from a Local Table
Ensuring secure administration
The context-dependent authorizations combine the general and structural authorizations and avoid situations like in the example above. The context-dependent authorizations can be separated so finely that a separation of functions can be made possible without any gaps. Basically, with context-dependent authorizations, the authorization objects are supplemented by structural authorization profiles. This means that authorizations are no longer assigned generally, but only for the objects in the authorization profile. The use of context-dependent authorizations means that the familiar P_ORGIN authorization objects are replaced by P_ORGINCON and P_ORGXX by P_ORGXXCON. The new authorization objects then contain a parameter for the authorization profile.
The indirect role assignment uses the evaluation paths PROFLO and PROFLINT for assigning the PFCG roles to the corresponding users. However, these evaluation methods ignore the object CP (central person), which represents the business partner in SAP CRM. In transaction PFUD, which provides for the user comparison, the evaluation paths US_ACTGR and SAP_TAGT are used. Again the object CP is not known.
Reference User
It is very important that critical authorizations are generally subject to a monitoring process in order to be able to ensure that they are assigned in a productive system in a very restricted manner or not at all. Law-critical authorizations in particular, such as deleting all change documents, debugging ABAP programs with Replace, and deleting version histories, must never be assigned in a production system, as these authorizations can be used to violate the erasure ban, among other things. It must therefore be ensured that these authorizations have not been assigned to any user, not even to SAP® base administrators.
Here I had to look for a moment at which point for SAP key users and not only for the SAP Basis in the SAP system an authorization is callable and may like to take this as an opportunity to write here in the article a few basics on the "anatomy" of SAP authorizations. To access the SAP system, the first thing you need is an SAP user ID (User). The user maintenance transaction SU01 (or SU01D) can be used to assign roles (from which profiles are derived) in addition to the (initial) password and personal data.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
The website www.sap-corner.de offers many useful information about SAP basis.
Since identical passwords are often used for different systems, the determined password may also be usable for downstream systems.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
The usual space has a hexadecimal value of 20, but there are alternative spaces (wide spaces), which can be recognised, for example, as double width or not at all as character spacing.