SAP Authorizations - A Common Perspective of Developers and Consultants
Starting reports
Transaction SU53 can be used to immediately display the missing authorizations for a single SAP user. This is advantageous when individual background processing or activities are not executed correctly and the cause is suspected to be missing authorizations. In this way, the cause of the error can be narrowed down more quickly.
In order to transport this table entry, you must go to the object list of the transport order in transaction SE09 and manually create an entry there with object key R3TR TABU KBEROBJ. Double-click on the key list, and you will be taken to the care image where you have to create an entry with *. This will transport all entries in the KBEROBJ table starting with a space. You must then move the RESPAREA field to the organisational level. Please follow the instructions in our Tip 49, "Add New Organisation Levels". If you use more than one Cost Centre or Profit Centre hierarchy with inheritance logic for the permissions, you must set this in the Customising cost accounting circles through the transaction OKKP. There you can decide in the year independent basic data which hierarchies you want to use. In the basic data for the year, you then define which hierarchies should be used per fiscal year. You can use up to three hierarchies for entitlement award for cost centres and profit centres.
Authorization objects
When you mix roles, either after upgrading or during role menu changes, changes are made to the permission values. You can view these changes as a simulation in advance. As described in Tip 43, "Customising Permissions After Upgrading," administrators may see some upgrade work as a black box. You click on any buttons, and something happens with the permissions in their roles. For example, if you call step 2c (Roles to be reviewed) in the SU25 transaction, all roles will be marked with a red light, which requires mixing based on the changed data from the SU24 transaction. Once you call one of these roles and enter the Permissions Care, the permission values change immediately. Using the Alt, New, or Modified update status, you can see where something has changed, but you cannot see the changed or deleted values. A simple example of how to play this behaviour without an upgrade scenario is changing the role menu. Delete a transaction from a test role and remix that role. You are aware that certain authorization objects have now been modified and others have even been completely removed, but can't all changes at the value level be replicated? Thanks to new features, this uncertainty is now over.
You can also monitor security alerts from the Security Audit Log via the Alert Monitoring of your Computing Centre Management System (CCMS). The security warnings generated correspond to the audit classes of the events defined in the Security Audit Log. Many companies also have the requirement to present the events of the Security Audit Log in other applications. This requires evaluation by external programmes, which can be done via the XML Metadata Interchange (XMI) BAPIs. You must follow the XMI interface documentation to configure it. You can also use the RSAU_READ_AUDITLOG_ EXTERNAL sample programme as a template. A description of this programme can be found in SAP Note 539404.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
Some useful tips about SAP basis can be found on www.sap-corner.de.
As an administrator, you can also back up failed permission checks from other users.
The freeware Scribble Papers is a "note box" in which all kinds of data can be stored. It takes in typed texts as well as graphics and entire documents. The data is then organised in folders and pages.
This does not mean, of course, that there are not very good partner products for the care of roles.