Use usage data for role definition
Set Configuration Validation
This start authorization check is delivered inactive. To use it, you must activate it. After activation, you can use authorizations to control which Web Dynpro ABAP applications users are allowed to run. For the start authorization check of Web Dynpro ABAP applications, the system uses the authorization object S_START in the same way as the authorization object S_TCODE for transactions. The object has the fields AUTHPGMID, AUTHOBJTYP and AUTHOBJNAM, which correspond to the key fields PGMID, OBJECT and OBJ_NAME of the object catalog (table TADIR). So, during the start authorization check, the Web Dynpro ABAP runtime checks the key of the object catalog entry for the Web Dynpro ABAP application.
In most cases, customizing is performed using transaction SPRO. However, this is only the initial transaction for a very comprehensive tree structure of further maintenance transactions. Most customizing activities, however, consist of indirect or direct maintenance of tables. Therefore, a random check of the authorization structure in this environment can be reduced to table authorizations. In the case of delimited responsibilities within customizing (e.g. FI, MM, SD, etc.), attention should therefore be paid here to an appropriate delimitation within the table authorizations. Independent of assigned transaction authorizations within customizing, a full authorization on table level combined with a table maintenance transaction such as SM30 practically corresponds to a full authorization in customizing. Normal customizing by user departments generally refers to client-specific tables. Access to system tables should therefore be restricted to basic administration if possible.
General considerations
For an authorization concept, a clear goal must first be defined that is to be achieved with the help of the concept. This should list which regulatory requirements the respective SAP system must fulfill and the associated authorization concept must take into account. In this way, the legal framework conditions are defined. In addition, uniform naming conventions should be used because, on the one hand, many things cannot be changed after the initial naming and, on the other hand, this ensures searchability in the SAP system. Clearly defined responsibilities ensure the effectiveness of a concept. Specific persons must be named or at least roles defined in a separate section. A chapter should be dedicated to the process for user management. Here, it must be described how users obtain existing SAP authorizations, how new users are integrated into the SAP system, and who is responsible for approving authorizations. The chapter on the process for authorization management defines who is allowed to create and edit which roles and who is responsible for the development of various related processes. The chapter on special authorizations describes processes and special features in the area of non-dialog operations. These include job management and interface convention. Other administrative authorizations can also be described. The chapter on role concept explains how business requirements are transferred to a technical role. The role concept takes on a special significance, since it describes the actual mapping of business roles to the technical roles and thus to the authorizations in SAP.
The object S_PROGRAM checks since SAP Release 2.x for the field TRDIR-SECU i.e. the authorization group of the program. As of Release 7.40, you can optionally switch on a check for the object S_PROGNAM. For more information, see note 2272827 for further instructions. The check on S_PROGNAM MUST first be activated in the customer system. Note, however, that they CORRECTLY authorize S_PROGNAM before doing so, otherwise NOBODY except emergency users will be able to start any report or report transaction after the SACF scenario is activated.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
The website www.sap-corner.de offers many useful information about SAP basis.
The Profile Generator is used to simplify and speed up user administration and should always be used when setting up authorizations for your employees.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
This report can be found in the User Information System (transaction SUIM).