SAP Authorizations Configure Security Audit Log - SAP Basis

Direkt zum Seiteninhalt
Configure Security Audit Log
Analyzing the quality of the authorization concept - Part 1
To read or modify data, a user must have both the privilege of performing a specific action and the privilege of accessing the object. The following privileges are distinguished in SAP HANA.

If your user is assigned the privilege ROLE ADMIN (either directly or through a role), you can create your own roles and assign them to users. You can do this by drawing on existing privileges and roles. The privileges themselves are provided by developers with appropriate permissions to create applications, including the privileges they require. Often, as the permission administrator, you do not have the privilege to create privileges. This is also useful because only the application developer can decide what properties the privileges of using the objects in the application should have. The application developer also decides whether his application provides appropriate roles in addition to privileges.
Essential authorizations and parameters in the SAP® environment
If you only want to translate the description of the role, it is recommended to record the PFCG transaction and to change the source language of the role using the Z_ROLE_SET_MASTERLANG report before the LSMW script runs through. The report on how to change the source language can be found in SAP Note 854311. Similarly, you can use the SECATT (Extended Computer Aided Test Tool, eCATT) transaction to perform the translation instead of the LSMW transaction.

A new transaction has been added to evaluate the system trace only for permission checks, which you can call STAUTHTRACE using the transaction and insert via the respective support package named in SAP Note 1603756. This is a short-term trace that can only be used as a permission trace on the current application server and clients. In the basic functions, it is identical to the system trace in transaction ST01; Unlike the system trace, however, only permission checks can be recorded and evaluated here.

Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.

To do this, you first create the PFCG role for the relevant transactions in the target system.

In the default selection you have the option to specify for which model view, for which modifier (Modified by) and for which time period you want to view change documents.
SAP BASIS
Zurück zum Seiteninhalt