SAP Authorizations Note the maintenance status of permissions in roles and their impact - SAP Corner

Direkt zum Seiteninhalt
Note the maintenance status of permissions in roles and their impact
Controlling permissions for the SAP NetWeaver Business Client
The permission check for the S_PATH object is performed as described only for files corresponding to a path with a permission group in the SPTH table. In our example, you should grant permission for the S_PATH object with the value FILE in the FS_BRGRU field to access files with the path /tmp/myfiles*. Note that the authorization object only distinguishes two types of access. These two values summarise the access types of the S_DATASET authorization object. The value Modify corresponds to the values Delete, Write, and Write with Filter; the value View corresponds to Read and Read with Filter.

However, the preferred and more comprehensive variant of a programmatic permission check is the use of the AUTHORITY_CHECK_TCODE function block. This function block not only responds to a missing permission when the programme starts, but can also specify that only the NO-CHECK check marks maintained in the transaction SE97 allow external calling from another transaction context. This is determined by the function block and not by the developer.
Configure Security Audit Log
Since Release 4.6D, the system creates a new folder for each of the roles included in the pulley when rebuilding a Collective Roll menu at the first hierarchy level, and only then the corresponding menu is located. You can decide whether the text of each folder should consist of the technical name or the short text of the role. This function can be disabled by customising.

First and foremost, legal principles must be stated and specific reference must be made to authorizations that are critical to the law and that may not be assigned (or at most may be assigned to emergency users). An example is the authorization "Debugging with Replace", to which the object S_DEVELOP with the values ACTVT = 02 and OBJTYPE = DEBUG legitimizes and over which data can be manipulated by main memory change. However, this would violate § 239 of the German Commercial Code, the so-called "erasure prohibition".

Authorizations can also be assigned via "Shortcut for SAP systems".

Maintaining suggestion values via the SU24 transaction is useful if you want to reflect your own requirements or if the values provided by SAP do not meet customer requirements (see Tip 37, "Making sense in maintaining suggestion values").

You can also find some useful tips from practice on the subject of SAP authorizations on the page

For the following evaluations the table AGR_1251 is used, in which to the roles the authorization objects with their values are stored.
SAP Corner
Zurück zum Seiteninhalt