Important components in the authorization concept
Analyse and evaluate permissions using SAP Query
Permissions are often not restricted because there is often no information about how the object should be shaped. The identification of the required functional components is often considered to be too burdensome and the risks from a lack of limitation are considered to be too low.
For accesses by verifier users (from the table TPCUSERN), the selection parameters of the invoked transaction are logged in the application log and can be evaluated with the report CA_TAXLOG. In the example, the single ledger entry for the vendor account 100000 was invoked.
Maintain authorization objects more easily
This report not only gives you an overview of the table logging settings in the tables, but also allows you to select multiple tables for logging. The Log flag button allows you to set the table logging check for all previously selected tables. The current status of the table loggers for the tables can be found in the Protocol column. The icon means that the table logger for the selected table is off.
Since a role concept is usually subject to periodic changes and updates, e.g. because new functions or modules are introduced or new organisational values are added, role names should be designed in such a way that they can be expanded. Therefore, in the next step, define the useful criteria you need in your role name.
Authorizations can also be assigned via "Shortcut for SAP systems".
In this tip, we will show you how to use PFCG roles to control the design of the NWBC user interface.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
In order to be able to use the following reports, you must not only have the appropriate authorizations, but also be aware that, depending on your SAP release or Notes, some reports are not yet or no longer available.