SAP Security Concepts
Set up permission to access Web Dynpro applications using S_START
In the transaction SU01, enter a non-existent user ID and click the Create button (F8). The BAdI BADI_IDENTITY_SU01_CREATE is called with the new user ID. Implementation in the BAdI is running. For example, here you can read additional attributes to the new user from an external data source. The data collected within the BAdIs is written into the fields of the transaction SU01. This will show you the new user master set with the pre-filled fields. You can edit the user master record, such as assign roles, or change the pre-populated fields.
SAP authorizations are not exclusively an operational issue - they are also essential for risk management and compliance and represent one of the key audit topics for internal auditing and auditors. In most cases, the different rules according to which the risks of SAP authorizations are assessed are problematic.
Challenges in authorization management
Permissions profiles are transported in the standard (since release 4.6C) with the roles. If you do not want to do this, you have to stop the data export in the source system by the control entry PROFILE_TRANSPORT = NO. The profiles must then be created by mass generation before the user logs are matched in the target system. This can be done via transaction SUPC.
Insert SAP Notes 1656965 and 1793961 into your system. With these hints, the report RSUSR_LOCK_USERS is delivered or extended. This report supports automatic selection and blocking of inactive users. To do this, you have to select the criteria in the selection screen of the RSUSR_LOCK_USERS report, according to which you want to lock or invalidate users. You can determine the choice of users by using various criteria. It is recommended to take into account the period since the last login in the Days since last login field and the password status in the Days since password change field. You have the option to check the result of the selection and view the users found. To do this, select the Test of Selection action in the Select Action pane. You can also choose between the User Lock-outs (Local Lock-outs) and User Unlock (Local Lock-outs) actions in this area. You can set the end of a user's validity by clicking the corresponding options for "today" or "yesterday". Note that you can only set the validity for current users.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
SAP Basis is the foundation of any SAP system. You can find a lot of useful information about it on this page: www.sap-corner.de.
SAPHinweis 1257133 describes the procedure for creating such a concept.
The freeware Scribble Papers is a "note box" in which all kinds of data can be stored. It takes in typed texts as well as graphics and entire documents. The data is then organised in folders and pages.
In order to provide user authorisation support, you often need their information.