SAP Authorizations System trace function ST01

Direkt zum Seiteninhalt
System trace function ST01
Customise SAP_ALL Profile Contents
In general, you should note that not all relevant change documents of a system are present in the user and permission management. As a rule, authorisation administration takes place in the development system; Therefore, the relevant proof of amendment of the authorisation management is produced in the development systems. By contrast, you will find the relevant user administration change documents in the production systems; Therefore, you should note that when importing roles and profiles in the production systems, no change documents are written. Only transport logs are generated that indicate that changes have been made to the objects. For this reason, the supporting documents of the development systems' authorisation management are relevant for revision and should be secured accordingly.

For an overview of the active values of your security policy, click the Effective button. Note that not only the attributes you have changed are active, but also the suggestion values you have not changed.
SAP S/4HANA® Launch Pack for Authorizations
Eligibility objects that were visible in the permission trace are quickly inserted in rolls. But are they really necessary? Are these possibly even critical permissions? A review of the Permissions Concept can reveal that critical permissions are in your end-user roles. We would like to give you some examples of critical permissions in this tip. It is helpful to know which authorization objects are covered by the critical permissions. They must also ask themselves whether the granting of these allowances entails risks.

The Permissions check continues again if the table in question is a client-independent table. This is done by checking the S_TABU_CLI authorization object, which decides on maintenance permissions for client-independent tables. For example, the T000 table is a table that is independent of the client and would be validated. To enable a user to maintain this table by using the SM30 transaction, you must maintain the S_TABU_CLI authorization object, in addition to the table permission group or specific table, as follows: CLIIDMAINT: X.

With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.

If you want to get more information about SAP basis, visit the website www.sap-corner.de.


Eine Ausnahme von dieser Regel gibt es allerdings: Auch wenn andere Authentifizierungsverfahren genutzt werden, prüft das System, ob der Benutzer dazu in der Lage ist, sich mit einem Passwort anzumelden.

So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.


Therefore, SAP standard users such as SAP* and DDIC must also be considered, some of which have extensive authorizations and pose a danger without conceptually defined protection.
Zurück zum Seiteninhalt