Understanding SAP HANA Permissions Tests
Authorizations in SAP systems: what admins should look out for
The AL08 transaction displays all logged-in users and their application servers. In the Server Name column, you can see which application server the user is logged on to, and which has the permission issue. Switch to this application server by calling the SM51 transaction and double-clicking the application server you are looking for. On the application server that is now active, run the permission trace as usual and review the evaluation.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.
Different users in your SAP system will have different password rules, password changes, and login restrictions. The new security policy allows you to define these user-specific and client-specific. It happens again and again that there are special requirements for password rules, password changes and login restrictions for different users in your SAP system. There may be different reasons for this.
Dialogue user
Incorrect use of the user types and password rules can result in the shutdown of the RFC interfaces. Find out what types of users you can use and how the password rules affect these types of users. In the SAP system, you can choose between different user types when creating users. These user types control the login behaviour and also the impact of password rules on the user. This can lead to undesirable behaviour, especially if the parameter for the validity of the initial password is set. It is often not known that the password rules also apply to users of the communication type. Communication users usually use an initial password because a dialogue is not possible and the password is not changed. If parameters for the validity of the initial password are now also introduced, these also apply to communication users. We will show you how to prevent such problems and give you an overview of the types of users and the impact of the password rules.
Are you already using BAPIs in user care? For example, you can use them to set up a password reset self service. We show you how to do this and what you need to pay attention to. Especially with large system landscapes and systems that are only sporadically used, users often forget their password. Strengthened password rules (e.g. to change a password regularly or to require certain character types to be used), which are supposed to serve security, do their part. Forgotten passwords and the frequently resulting user locks are unfortunately often lost to the user when access to a system is most needed. Unlocking a user and assigning a new password is rarely done in real time, even with large 24-hour support service departments. This problem, which I am sure you are familiar with, does not exactly promote employee satisfaction and productivity. A self-service that uses the Business Application Programming Interfaces (BAPIs) can counteract this.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
This report requires only viewing permissions that can be assigned to the above-described group without any concerns.
It will make their lives easier in the future.