SAP authorizations: Recommendations for setting up, monitoring and controlling
Task & functionality of the SAP authorization concept
Finally, the check logic provides for a row-level check within a table if you want to restrict access to the table contents depending on an organisational mapping. For example, if you want a user to view only the data from a table that affects the country where their work location is located, you must configure it accordingly. To do this, you define and activate organisation-relevant fields as an organisational criterion (see Tip 62, "Organisationally restrict table editing permissions"). To keep track of which users can access which tables, run the SUSR_TABLES_WITH_AUTH report. This report provides information about which user or single role has the S_TABU_DIS or S_TABU_NAM authorization objects. The result list shows all the authorised tables, their permissions, and their permission values.
You have an organizational structure that includes 4 hierarchical levels - authority, department, unit, functional area). The authorization concept in your organization states that access (processing) to Records Management objects should be allowed for an employee only within his/her own organizational unit. However, the authorization check should only take place on three levels. So if a unit is subdivided into further functional areas, all employees of the unit and the functional areas should have the same authorizations. Since department 2 and department 3 work very closely together, employees of department 2 should be able to read all files, transactions and documents of department 3 and vice versa.
Error analysis for authorizations (part 1)
The path with the associated permission group DEVL contains the local temporary files of the ABAP Frontend Editor of the ABAP development environment (transactions SE38, SE80, SE24, etc.). The two paths with the ADMN permission group show how logically related paths can be grouped into a S_PATH permission check. The two entries with the FILE permission group show how paths for Windows can be completed in systems with application servers of different operating systems. The core.sem and coreinfo entries are required to write run-time errors in the SNAP snapshot table. The dev_ and gw_ entries allow you to view files from the developer trace and Gateway Log in the ST11 transaction. If the suggestion in the first entry of the table is too restrictive, you can choose the alternative in the following table. This entry only forces a permission check on S_PATH and the ALL permission group; You should, however, only grant such permission very restrictively.
The SAP CO module is the module for classic controlling in a company. Part (the responsible area) of it is the control and analysis of costs. This also includes the control of the cost types and the cost rates that are incurred and posted in the company. Controlling then usually reports directly to the company management. It is supported by the tools from the SAP CO module, which can provide comprehensive evaluations and analyses. SAP CO can be subdivided into several further subareas. These include, for example, CO-PC (Product Cost Accounting), CO-PA (Profitability Analysis) or PCA (Profit Center Accounting).
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
Understanding the structure and functioning of the system is especially important for IT administration. It is not for nothing that "SAP Basis Administrator" is a separate professional field. On the page www.sap-corner.de you will find useful information on this topic.
This transaction allows you to verify that other applications have startup properties similar to those available in a particular application.
A note box in which data of all kinds can be quickly filed and retrieved. This is what Scribble Papers promises. At first, the program looks very spartan. But once a small structure is in place, you realise the great flexibility of this little helper.
Safeguard measures: Lock down the user EARLYWATCH and only unlock it when requested by SAP Support.