SAP Authorizations Implementing Permissions Concept Requirements - SAP Corner

Direkt zum Seiteninhalt
Implementing Permissions Concept Requirements
Note the effect of user types on password rules
Further changes can be found when using the proof of use. When you click on the button (proof of use), you will receive a new selection. You can check which permissions, SU24 suggestion values, or SU22 suggestion values the authorization object uses. The ABAP-Workbench selection, as in previous releases, provides you with the proof of use for implementing the authorization object in programmes, classes, and so on. You can use the SAP NEW Data button to mark whether this authorization object is relevant to an SAP New role of a particular release.

If you want to allow users to access only individual table rows, you can use the S_TABU_LIN authorization object, which allows access to specific rows of a table for defined organisational criteria. A prerequisite for this type of permission is that the tables have columns with such organisational values, such as the work, country, accounting area, etc. You must now configure these organisational values in the system as organisational criteria that represent business areas; serve as a bridge between the organisational columns in the tables and the permission field in the authorization object. Since the organisational criteria are found in several tables, this eligibility check need not be bound to specific tables and can be defined across tables.
Optimization of SAP licenses by analyzing the activities of your SAP users
Now check the SY-SUBRC system variable. If the value is 0, the Permissions Check succeeded. If the value is 4, the test did not pass. At a value of 8, there is an inconsistency in the definition of the authorization object and the verification in the code - this should not happen! If the value is 12, the permission is not part of your permission buffer.

Despite progressive use of web interfaces in the S/4HANA context, batch processing for mass data is still required. However, our experience from customer projects shows that only very few authorization administrators know how to correctly authorize the scenarios. SAP OSS Note 101146 provides a good overview here. In this blog post, we would like to summarize the context for practical use.

However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".

Even a lack of know-how about SAP authorizations cannot be compensated for cost-effectively by means of tools.

You can also find some useful tips from practice on the subject of SAP authorizations on the page

The following actions are subject to authorization checks that take place before a program or table maintenance is started and cannot be bypassed by SAP applications: Start of transactions (authorization object S_TCODE) - Start of Web Dynpro applications (authorization object S_START) - Start of reports (authorization object S_PROGRAM).
SAP Corner
Zurück zum Seiteninhalt