SAP Authorizations SIVIS as a Service - SAP Basis

Direkt zum Seiteninhalt
SIVIS as a Service
Object S_BTCH_ADM (batch administration authorization)
The S_RFCACL authorization object is removed from the SAP_ALL profile by inserting SAP Note 1416085. This notice is included in all newer support packages for the base component; This affects all systems down to base release 4.6C. The reason for this change is that the S_RFCACL authorization object, and especially the expression "total permission" (*), is classified as particularly critical for its fields RFC_SYSID, RFC_CLIENT and RFC_USER. These fields define from which systems and clients or for which user IDs applications should be allowed on the target system. Thus, the overall authorisation for these fields allows the login from any system and client or for any user and thus creates significant security risks.

At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.

To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.

When you create users in the SU01 transaction, do you want to automatically pre-occupy certain fields from a data source? Use a new BAdI for which we present an implementation example. If you create a user in the SU01 transaction in an SAP system, there is almost always data about that user in other systems. A classic example is user data in the Active Directory or the personnel master data in SAP ERP HCM, which are already maintained as part of the employee recruitment process. If user data is present in multiple systems, then the first choice is to automatically create a user through an identity management system, which is resolved by an HR trigger in SAP Identity Management (ID Management). ID Management detects changes, such as personnel master data, SAP ERP HCM, or business partners in SAP CRM, and either applies the appropriate users in your systems or makes changes and deactivations. But what if you don't have an identity management system in place? Do you need to type all of this data? No - you can pre-document them automatically. You can use a Business Add-in (BAdI), which allows you to pre-define certain fields when you create a user in the SU01 transaction.
Goal of an authorization concept
You noticed that the maintenance status of the permissions in PFCG roles changes when you maintain, change, or manually add authorization objects? Find out what the permission status is. When deleting or adding transactions in the role menu of PFCG roles, the respective permissions in the PFCG role have the Maintenance Status Standard. Add or change the permissions, the Maintenance Status changes to either Care or Changed. You may have seen the Maintenance Status Manual before. What are the background to this maintenance status and what do they actually say?

In practice, the main problem is the definition of content: The BMF letter remains very vague here with the wording "tax relevant data". In addition, there is the challenge of limiting access to the audited financial years.

With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.

This transaction is intended for migration tasks, but is also very well suited to allow a particular transaction to be repeated and automated.

This value does not limit the data displayed in the legitimate report.
SAP BASIS
Zurück zum Seiteninhalt