Solution approaches for efficient authorizations
Lack of definition of an internal control system (ICS)
If an entry in transaction SE97 is correctly created, a permission check is performed in the same way as a transaction startup authorisation. This approach therefore requires an exact and complete configuration for each transaction that is invoked. The required effort and the space for errors are correspondingly large. The CALL TRANSACTION ABAP command does not cause a transaction startup permission check. Without a permission check, the ABAP programme could unintentionally allow users to access system resources. In many cases, such authorisation problems lead to a hidden compliance violation, because this means that the traceability of user actions in the SAP system is no longer guaranteed. A developer should not rely on the functionality of the SE97 transaction and therefore should include the possible permission checks in the code. Therefore, one of the following explicitly coded permission checks for the CALL TRANSACTION statement must be performed.
The system checks direct access to the contents of tables, for example, with transactions SE16, SM30, or SE16N with authorization checks on a table authorization group, object S_TABU_DIS. If there are no suitable authorizations for the table authorization group, the system checks the name of the table or view, object S_TABU_NAM. When making changes to client-independent tables, the system also checks the authorizations for object S_TABU_CLI. If you have configured line-based authorization checks in Customizing, the system also checks authorization object S_TABU_LIN. Assign tables or views to a table authorization group using transaction SE11 or SE54. You can also define table authorization groups using transaction SE54. If your customer development implements direct access to a table, use the VIEW_AUTHORITY_CHECK function module to perform the authorization check. For more information about generic access to tables, see SAP Note 1434284 Information Published on SAP Site and the online documentation for the authorization objects mentioned above.
User and authorization management
Another function of this transaction is to find transactions based on generic table access transactions. Here you can check whether there are parameter or variant transactions for a given table, or for a particular view, for which you can set up permissions, instead of allowing access to the table through generic table access tools. If a search result is generated, you can even search for roles that have permissions for the selected alternative applications. To do this, click the Roles button (Use in Single Roles). When using this tool, make sure that even if applications have the same startup properties, there may be different usage characteristics, such as SU22 and SU24 transactions. Both transactions have the same start properties, but are used for different purposes and display different data.
Now check the SY-SUBRC system variable. If the value is 0, the Permissions Check succeeded. If the value is 4, the test did not pass. At a value of 8, there is an inconsistency in the definition of the authorization object and the verification in the code - this should not happen! If the value is 12, the permission is not part of your permission buffer.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
The processes that run through this module are used for double-entry bookkeeping and recording of documents in the required accounts.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
Authorization: An authorization allows a user to perform a specific activity in the SAP system based on a set of authorization object field values.