Optimise trace analysis
Displaying sensitive data
Once you have edited the role menu, you can customise the actual permissions in the PFCG role. To do this, click the Permissions tab. Depending on the quantity of external services from the Role menu, the authorization objects will appear. The authorization objects are loaded into the PFCG role, depending on their suggestion values, which must be maintained for each external service in the USOBT_C and USOBX_C tables. You can edit these suggested values in the SU24 transaction. Make sure that external services in the Customer Name Room also have the names of external services and their suggestion values in the tables maintained (see Tip 41, "Add external services from SAP CRM to the proposal values"). Visibility and access to external services is guaranteed by the UIU_COMP authorization object. This authorization object consists of three permission fields: COMP_NAME (name of a component), COMP_WIN (component window name), COMP_PLUG (inbound plug).
You want to create a permission concept for applications that use SAP HANA? Find out what you should consider in terms of technical basics and tools. As described in Tip 22, "Application Solutions for User Management in SAP HANA", there are different application scenarios where the permission assignment on the HANA database is required.
Context-dependent authorizations
If an entry in transaction SE97 is correctly created, a permission check is performed in the same way as a transaction startup authorisation. This approach therefore requires an exact and complete configuration for each transaction that is invoked. The required effort and the space for errors are correspondingly large. The CALL TRANSACTION ABAP command does not cause a transaction startup permission check. Without a permission check, the ABAP programme could unintentionally allow users to access system resources. In many cases, such authorisation problems lead to a hidden compliance violation, because this means that the traceability of user actions in the SAP system is no longer guaranteed. A developer should not rely on the functionality of the SE97 transaction and therefore should include the possible permission checks in the code. Therefore, one of the following explicitly coded permission checks for the CALL TRANSACTION statement must be performed.
Do you need to integrate the S_TABU_NAM authorization object into your existing permission concept? In this tip, we show you the steps that are necessary to do this - from maintaining the suggestion values to an overview of the eligible tables. You have added the S_TABU_NAM authorization object to your permission concept, so that users can access the tables not only through the S_TABU_DIS authorization object, but also through S_TABU_NAM. This directly regulates access to the tables via table permission groups or, if access is not allowed through table permission groups, via the table permission (see Tip 73, "Use table editing authorization objects"). Do you want to identify the tables or created parameter transactions that allow access to only specific tables to maintain SU24 for these suggested values in the transaction? This makes it easier to maintain PFCG roles. Furthermore, a tool would be useful to give you an overview of the tables for which a user is entitled.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
You can then maintain suggestion values for the parameter transaction you created.
With apm Suite, you can put together your individual GRC/SOX-compliant solution for SAP authorizations as needed.