Coordinate authorisation management in customer-owned programmes
Use the authorisation route to identify proposed values for customer developments
The SAP authorization concept protects transactions and programs in SAP systems on the basis of authorization objects. Authorization objects enable complex checks of an authorization that are bound to several conditions. Authorizations represent characteristics of authorization objects depending on the employee's activity and responsibility. The authorizations are combined in an authorization profile that belongs to a role. The administrator assigns the appropriate role to the employee via the user master record so that the employee can perform his or her tasks in the system.
You assign a reference user to a dialogue user by registering the reference user for additional rights in the SU01 transaction on the Roles tab in the Reference User field. If you are using Central User Administration (ZBV), the assignment applies to all connected systems. If the reference user does not exist in one of the systems, the mapping is ignored. However, the use of reference users also creates risks. This makes it easier to summarise permissions because it is difficult to keep track of the assigned permissions. In SAP NetWeaver AS ABAP 7.0 and above, reference users are considered in the reports of the user information system.
Implementing the authorization concept in the FIORI interface
This report has two functions: PFCG role consolidation - Identical roles are grouped into a single user base when validity periods overlap or connect directly to each other. Select the users, user groups, or roles to apply these rules to in the Selection Criteria pane. Deleting Expired PFCG Scrolls - If you uncheck Expired Mappings, Expired Scrolls will be removed from the user's root.
Like all other security issues, SAP authorizations must be integrated into the framework used. The risks associated with incorrectly assigned authorizations must be classified as very high. The definition of a holistic governance, risk and compliance management system is required. This ensures that risks are recorded, analyzed, evaluated, coordinated and forwarded within the company at an early stage. Accordingly, the risks arising from incorrectly assigned SAP authorizations or from a lack of a process for monitoring authorizations are also included here.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
This includes the maintenance of proposed values in the transaction SU22.
These are assigned via specific groups, which in addition to the normal authorizations (such as create, change, display cost centers) also assign access to the appropriate FIORI Apps.