AUTHORIZATIONS IN SAP SYSTEMS
Maintain permission values using trace evaluations
Without generic table logging, certain changes in the system are not traceable. Learn how to turn on table logging in the system for a large set of tables. The SAP system writes change documents for most changes - but not all. Specifically, changes to tables in which the customising is performed are not recorded in the modification documents. This may lead to a lack of comprehensibility of changes. Avoid this by basically enabling table logging and then setting logging for specific additional tables. You should always enable table logging for all clients. However, during a release upgrade it may be necessary to temporarily disable table logging.
Depending on the configuration of root data and processes, different permission checks can be relevant, so that it makes sense to adjust the proposed values. If custom applications have been created in the form of Z-transactions, Web-Dynpro applications, or external services, you must maintain suggestion values for these applications to avoid having manual permissions in the PFCG roles. You must ensure that custom applications are not always visible in the SU24 transaction. This is the case for TADIR services and external services. To learn how to make these services available for suggestion maintenance, see Tip 38, "Use the SU22 and SU24 transactions correctly.".
Coordinate authorisation management in customer-owned programmes
For the scenario of sending initials passwords, signing emails is not so relevant. Although it is possible to send an encrypted e-mail with a fake sender address, in this case the initial passwords in the system would not work. It looks different when you send business data; In such cases, verification of the sender via a digital signature is recommended. If you want to send e-mails digitally signed, we advise you to send them at the system's e-mail address. To do this, use the SEND_EMAIL_FOR_USER method described and place the sender's tag on the system. In this case, you need a public key pair for your ABAP system, which is stored as a Personal System Security Environment (PSE). For a detailed description of the configuration, including for verification and decryption of received emails, see the SAP Online Help at http://help.sap.com/saphelp_nw73ehp1/helpdata/en/d2/7c5672be474525b7aed5559524a282/frameset.htm and SAP Note 1637415.
Administrative activities are used to control system behavior and make various security-relevant settings. To minimize the risk of a system failure or the creation of a security vulnerability, administrative rights should only be granted to employees in the basic administration. The following list may be supplemented by suggestions from the company's own administration. It contains only the most important authorization objects for each subject area.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
You can now decide how the applications appear in the Role menu.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
However, if the business partner has also been maintained in organisational management, there is no standard evaluation path for this case and the user assigned to the role is not found.