Direkt zum Seiteninhalt
SAP S/4HANA: Analysis and simple adjustment of your authorizations
Access to tables and reports should be restricted. A general grant of permissions, such as for the SE16 or SA38 transaction, is not recommended. Instead, parameter or report transactions can help. These transactions allow you to grant permissions only to specific tables or reports. You can maintain secondary authorization objects, such as S_TABU_NAM, in the Sample Value Care.

If your user is assigned the privilege ROLE ADMIN (either directly or through a role), you can create your own roles and assign them to users. You can do this by drawing on existing privileges and roles. The privileges themselves are provided by developers with appropriate permissions to create applications, including the privileges they require. Often, as the permission administrator, you do not have the privilege to create privileges. This is also useful because only the application developer can decide what properties the privileges of using the objects in the application should have. The application developer also decides whether his application provides appropriate roles in addition to privileges.
Coordinate authorisation management in customer-owned programmes
The authorization objects are attached by analogy to the forecast and item-based reports. The authorization objects of the item-based reports are checked in addition to the authorization objects for the information system when the report is selected. There is a trick in maintaining the CO-PA-specific authorization objects, because a once selected result area is set for the entire session of your login. This is of course hindering the maintenance of authorization objects for different result areas. Therefore, simply change the result area in the Customising window using the following path: Controlling > Income and market segment accounting > Structures > Set result area.

In general, you should note that not all relevant change documents of a system are present in the user and permission management. As a rule, authorisation administration takes place in the development system; Therefore, the relevant proof of amendment of the authorisation management is produced in the development systems. By contrast, you will find the relevant user administration change documents in the production systems; Therefore, you should note that when importing roles and profiles in the production systems, no change documents are written. Only transport logs are generated that indicate that changes have been made to the objects. For this reason, the supporting documents of the development systems' authorisation management are relevant for revision and should be secured accordingly.

Authorizations can also be assigned via "Shortcut for SAP systems".

In the evaluation of the Permission trace, an additional column named Server Name appears, showing you the name of the application server on which the respective permission checks were logged.

These fields define from which systems and clients or for which user IDs applications should be allowed on the target system.
SAP Corner
Zurück zum Seiteninhalt