SAP Authorizations Checking at Program Level with AUTHORITY-CHECK - SAP Corner

Direkt zum Seiteninhalt
Checking at Program Level with AUTHORITY-CHECK
Analyze user buffer SU56
You can maintain the SE97 transaction to determine whether or not a transaction should start at origin. The information in this transaction comes from the TCDCOUPLES table and is included. You have the possibility to amend or supplement the proposals listed here. When the CALL TRANSACTION statement is invoked, additional transaction code pairings are written to the TCDCOUPLES table by activating the authorisation trace through the auth/authorisation_trace profile parameter. The check mark indicates whether the test is carried out. By default, it is set to unkempt after performing the trace. If the check mark is set to YES, the transaction startup permission is performed with the S_TCODE object. If applicable, other permissions maintained by the SE93 transaction are also checked when the transaction is called.

If the ID is maintained for all affected clients, there is no longer a risk that the six digits used from the fifth position of the generated profile name will be the same. For more information on how to handle generated profiles in complex system landscapes, see Tip 54, "Managing Generated Profile Names in Complex System Landscapes.".
Goal of an authorization concept
Access to personal data in a company is a sensitive issue. It is essential to manage this access securely and to be able to provide information at any time about who has access to the data, when and in what way - and not just for the sake of the auditor. For this reason, the topic of SAP authorizations is a very important one, especially for the HR department.

If you want to allow users to access only individual table rows, you can use the S_TABU_LIN authorization object, which allows access to specific rows of a table for defined organisational criteria. A prerequisite for this type of permission is that the tables have columns with such organisational values, such as the work, country, accounting area, etc. You must now configure these organisational values in the system as organisational criteria that represent business areas; serve as a bridge between the organisational columns in the tables and the permission field in the authorization object. Since the organisational criteria are found in several tables, this eligibility check need not be bound to specific tables and can be defined across tables.

"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.

After clicking on this button, you will see the current ZBV status in the area of the same name and can release the selected system from the ZBV via the Run button.

If you want to know more about SAP authorizations, visit the website

To do this, use the protocol evaluation of the AIS in the transaction SAIS_LOG or click the button in the transaction SAIS.
SAP Corner
Zurück zum Seiteninhalt