User master data
Architecture of authorization concepts
When the FIORI interface is called up, different roles (Fiori groups) are associated with factually related FIORI tiles. As an example, here is the group Master Data in which the FIORI tile "Manage Cost Center" can be found.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
A note box in which data of all kinds can be quickly filed and retrieved. This is what Scribble Papers promises. At first, the program looks very spartan. But once a small structure is in place, you realise the great flexibility of this little helper.
Security notes correct vulnerabilities in SAP standard software that can be exploited internally or externally. Use the System Recommendations application to keep your systems up to date. SAP software is subject to high quality assurance standards - however, security vulnerabilities may occur in the code. These vulnerabilities can, in the worst case scenario, open the door to external and internal intruders. It is not difficult to find guidance on exploiting these vulnerabilities in relevant internet forums. A permission concept is only as good as the code that performs the permission checks. If no permission check occurs in your code, the permission concept cannot restrict access. For these reasons, SAP has introduced Security Patch Day (every other Tuesday of the month), which will allow you to better plan for implementing the security advisories. In addition, you can use the System Recommendations application in the SAP Solution Manager to get a detailed, cross-system overview of the security advice you need. The system status and the SAP hints already implemented are taken into account. With this support, ensure that your system landscape is at the current security level.
Correct settings of the essential parameters
Partners delivering their developments also maintain the proposed values for their applications in the transaction SU22. If customers are developing systems that supply other system landscapes than your system landscape and require different SU24 suggestion values per system, the proposed values in transaction SU22 will be maintained. The profile generator uses only the values of the transaction SU24 in your customer environment as a data base. To maintain the suggestion values, you can use both the System Trace data for permissions from the ST01 or STAUTHTRACE transaction and the data from the permission trace in the SU24 transaction (see Tip 39, "Maintain suggestion values using trace evaluations").
To create a authorization object, you must first select the result area and the form of the result invoice, whether calculating or accounting, for which you want to validate the authorization object. To do this, you must enter the name of the authorization object to be created and click the button (Next). You then set a text for the authorization object and select a maximum of ten permission fields for the object using the Fields button. Only a selection of the characteristics defined for the result area - and for the calculation of the result account also the value fields - is possible. You can now create different authorization objects for the key numbers and characteristics, or you can group the relevant fields into a authorization object. We advise you to define only one object with all relevant fields, as this will facilitate the maintenance of permissions. In our example, we created an accounting authorization object for the characteristics of the profit centre, distribution channel and work in the information system.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
However, you do not use the concept of the organisational matrix, but you have to store the new organisational values directly when the report is called.
Roles are assigned according to the function of employees in the company and their validity is limited depending on the task.