SAP Authorizations Maintenance Status - SAP Basis

Direkt zum Seiteninhalt
Maintenance Status
Use system recommendations to introduce security
System users are also intended for anonymous access. They are used in technical operations that require a user, such as batch runs or RFC connections. With them, therefore, no dialogue login is possible on the SAP system, but only the login via RFC call. Multiple logins are always possible for a system user, and the password modification rules (see also the explanation under "Service Users") do not apply. The password of a system user always has the status Productive and can only be changed by the user administrator.

In order to be able to execute subsequent SAP standard reports, you need authorizations to access certain programs or reports and in the area of role maintenance. The transactions "SA38" and "SE38" for executing programs are of particular importance. They enable a far-reaching system analysis by means of certain programs for the end user. Additional rights associated with this, which can go beyond the basic rights of administrators, have to be controlled by explicit values in a dedicated manner.
Organisational allocation
When accessing tables or views, the S_TABU_DIS authorization object is used to grant permission for a specific table permission group in the permission check. Note in this context also Tip 73 "Use authorization objects for table editing" and the S_TABU_NAM authorization object presented there. You can create table permission groups by using the transaction SE54 or by using the V_TBRG_54 care dialogue. They fall under the customising and can only contain four characters until SAP NetWeaver 7.31 SP 2. To create a table permission group, call the SE54 transaction and select Permissions Groups in the Edit Table/View pane. The Create/Modify button provides an overview of the existing table permission groups. For example, this way you can also change the name of a table permission group. In the Table Rights Group overview, click the New Entries button to create a new table permissions group. Give a name for your permission group and a matching name. After you have saved the new entries, your custom table permission group is created.

In principle, all eligibility fields can be upgraded to the organisational level; there are, however, technical exceptions and fields where this is not useful. Technically, the fields that are in the context of testing the startup capability of an application are excluded, i.e. the fields of the S_TCODE, S_START, S_USER_STA, S_SERVICE, S_RFC, S_PROGRAM and S_USER_VAL authorization objects. In addition, you cannot elevate the ACTVT field to the organisation level. Only the fields that can be assigned a value range within a role are meaningful. This must of course be considered across the board for the authorisation concept. For example, fields that have more than one meaning, such as the Authorisation Group (BEGRU), are not suitable for material management. The PFCG_ORGFIELD_CREATE report allows you to define a permission field as an organisation level. The report enters the field in the USORG table, changes the permission proposal values to that field, and performs all the roles that have a shape in the field.

However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".

Select the applications you want to apply to the Roles menu and click Apply.

Confirmation of the dialogue will immediately start the recording; They therefore end up in the PFCG transaction.
Zurück zum Seiteninhalt