AUTHORIZATIONS IN SAP SYSTEMS
SAP systems: Control user authorizations with a concept
Do you want to automatically monitor the security settings of your systems and receive convenient evaluations? We will explain how to use configuration validation. If you have a large SAP system landscape in use, the control of the many different security settings can be complex. You define your security requirements for the entire SAP system landscape; they concern, for example, the settings of the profile parameters, the handling of safety instructions or critical permissions that may only be assigned to emergency users. You can define these requirements in the SAP Solution Manager Configuration Validation application and evaluate compliance with these requirements in all systems.
Balance: In the settlement transactions, the user is only presented with the supporting documents for which he or she has permission. If the Profit Centre field is not filled in the journal view (Table BSEG), the general ledger view (usually Table FAGLFLEXA) is checked. To compensate, we recommend that you include the Profit Centre in the selection fields of the balancing transactions.
Define a user group as mandatory field in the user root
Transaction PFCG also offers you the option of automatically collecting permissions. Not every transaction entered into a single role via a role menu necessarily needs its own permission entry in the permission tree, because some transactions have identical or similar permission proposal values.
The security policy was introduced with the SAP NetWeaver 7.31 release; for their use you need at least this release. Security policies thus replace the definition of password rules, password changes, and login restrictions via profile parameters. The security policy is assigned to the user in transaction SU01 on the Logon Data tab. Profile parameter settings remain relevant for user master records that have not been assigned a security policy. Some of the profile parameters are also not included in the security policy and therefore still need to be set system-wide. Security policy always includes all security policy attributes and their suggestion values. Of course, you can always adjust the proposed values according to your requirements. You define security policy about the SECPOL transaction. Select the attributes for which you want to maintain your own values and enter the values accordingly. The Descendable Entries button displays the attributes that are not different from the global entries.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
If such an external service is removed from the role menu and the PFCG role is generated, the user of this PFCG role does not have permissions to view this external service (see screenshot next page).
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
In the selection, you can now distinguish whether you want to include or exclude users with administrator or password locks in the selection.