Module
Compensating measures for segregation of duties conflicts
Authorizations are assigned to users in SAP systems in the form of roles. The goal is to create a system that is as secure as possible and to keep the complexity and number of roles as low as possible. This is the only way to achieve a balanced cost-benefit ratio.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
The freeware Scribble Papers puts an end to the confusing paper chaos. The tool is also suitable for storing, structuring and quickly finding text documents and text snippets of all kinds in addition to notes.
Let's say that a user - we call her Claudia - should be able to edit the spool jobs of another user - in our example Dieter - in the transaction SP01. What do you need to do as an administrator? Each spool job has a Permission field; By default, this field is blank. If Claudia wants to see a Dieter spool job, the system will check if Claudia has a specific spool job permission with a value of DIETER. Claudia does not need additional permissions for its own spool jobs that are not protected with a special permission value.
Application Permissions
Run step 2a (automatic synchronisation with SU22 data). In this step, the data of the transaction SU22 of the new release will be transferred to the transaction SU24. If there is a change or difference in applications (changed check marks, suggestions, field values, or new or deleted authorization objects), the USOB_MOD or TCODE_MOD table of the MOD_TYPE is set to M. With SAP Note 1759777, a selection is offered for step 2a, with which this step can be simulated. Another option, Delete Flags for applications with modified data, is offered to apply the new changes only if Step 2a is executed selectively.
In everyday role maintenance, you often have to change the permission data of a single role again after you have already recorded the role in a transport order along with the generated permission profiles. In this case, you have previously had to create a new transport order because the table keys of the generated profiles and permissions are also recorded for each individual role record, but are not adjusted for subsequent changes in the role data.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
Some users, such as administrators, are not affected.
In such a case, it is also best to collect the business risks directly in the process description.