Our services in the area of SAP authorizations
Take advantage of roll transport feature improvements
This type of programming makes sense if large amounts of data have to be read. Before starting to read the data from the database, a DUMMY check can be used to quickly determine whether the user is authorized to access part of the data. However, as can be seen from the table above, a code must not only be secured by a general check, but must be supplemented by later, detailed checks. However, even in this context space (or ' ') does not need to be explicitly authorized.
In the beginning, the FI and CO modules were separated from each other. Both modules have been combined by SAP as higher-level modules in the accounting area. The main reason for this is the tight process structure, which enables a smooth transition between the two modules. As a result, SAP FI and CO now only appear as the joint module SAP FICO.
SAP Security Automation
Create a report transaction for the report that is called in the background job. Set up the report transaction in the transaction SE93 and assign the report RHAUTUPD_NEW as a programme. Start the authorisation trace by setting the auth/ authorisation_trace profile parameter to Y or F if you want to work with filters (see tip 38, "Use the SU22 and SU24 transactions correctly"). Now run the job to collect permission checks on the permission trace. Your permission checks should now be visible in the STUSOBTRACE transaction. Now maintain the permission proposal values for your report transaction in transaction SU24 by entering the transaction code in the appropriate field. You will find that no values are maintained. Now switch to Change Mode. You can add your permission suggestions from the trace using the Object > Insert objects from Permissions Trace > Local (see Tip 40, "Use Permission Trace to Determine Suggest Values for Custom Developments"). Add the suggestion values for each displayed authorization object. Now create a PFCG role that includes the report transaction permission and maintain the open permission fields. Then test whether the job can be run with the permissions from the PFCG role.
The requirements in the third example to filter the Post Journal Display (transaction FAGLL03) can be implemented using the BAdIs FAGL_ITEMS_CH_DATA. Depending on the permissions granted, certain items or documents should be excluded from display. You can see the definition of BAdIs through the SE18 transaction, and in the SE19 transaction you create an implementation of the BAdIs in the Customer Name Room.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
In addition, executable transactions may also result from the assignment of a reference user; the reference user's executable transactions are also taken into account.
We described the configuration of the retention time of the statistical usage data in Tip 26, "Use usage data for role definition".