Dissatisfaction and unclear needs in the process
Assignment of critical authorizations and handling of critical users
The organisation of a company is represented in the SAP system. Keep an overview here to identify dependencies and control access permissions in an organisation-specific way. In customising, different organisational values are stored for the individual ERP components to enable an organisational mapping of the root and movement data. This mapping is required, among other things, to control access permissions or constraints. We will show you how you can get an overview of the well-maintained organisational units and see dependencies between the different organisational values.
The logging takes place in both the central system and the subsidiary systems. If the change documents are to be read for the attached subsidiary systems, the subsidiary systems must also be at the release and support package status specified in SAP Note 1902038. In addition, RFC users in their daughter systems need permission to read the change documents using the S_USER_SYS authorization object with the new activity 08 (Read the change document).
Object S_BTCH_NAM and S_BTCH_NA1 (use of foreign users in Steps)
For an up-to-date description of the eligibility tests in the EWA, see SAP Note 863362. Updates to these checks are provided by keeping the ST-SER software component, which contains the definition of checks to be performed, up to date and enabling the automatic content update in the SAP Solution Manager.
The S_RFCACL authorization object is removed from the SAP_ALL profile by inserting SAP Note 1416085. This notice is included in all newer support packages for the base component; This affects all systems down to base release 4.6C. The reason for this change is that the S_RFCACL authorization object, and especially the expression "total permission" (*), is classified as particularly critical for its fields RFC_SYSID, RFC_CLIENT and RFC_USER. These fields define from which systems and clients or for which user IDs applications should be allowed on the target system. Thus, the overall authorisation for these fields allows the login from any system and client or for any user and thus creates significant security risks.
Authorizations can also be assigned via "Shortcut for SAP systems".
Standard programs / transactions of an ERP system are already equipped with these objects during the initial installation.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
You can still assign roles and profiles to a user if you have the appropriate permissions to these activities.