Challenges in authorization management
What to do when the auditor comes - Part 2: Authorizations and parameters
The SAP HANA Studio application is available for maintaining and assigning HANA permissions to users. The SAP HANA Studio is installed on your workstation. You can then log in to one or more HANA databases with the user and password. The SAP HANA Studio and HANADatenbank are currently subject to extensive further developments; Therefore, the respective versions of the SAP HANA studio must be compatible with the HANA databases to be connected. For this reason, we recommend that you check the information about the use of certain versions of SAP HANA Studio in the SAP Notes.
Authorizations are assigned to users in SAP systems in the form of roles. The goal is to create a system that is as secure as possible and to keep the complexity and number of roles as low as possible. This is the only way to achieve a balanced cost-benefit ratio.
Which authorization objects are checked (SU22)? When calling a transaction, such as the ME23N, various authorization objects are checked. You can get an overview as follows: Call transaction SU22 (SAP tables) or SU24 (customer tables), enter e.g. "ME23N" in "Transaction code" and execute the transaction. As a result you will see all authorization objects that are checked when calling transaction ME23N.
Since SAP NetWeaver 7.02, such a feature is available, which means that you can access the data from the system trace to maintain PFCG roles. In the following we show you how you can apply the permission values from the permission trace to your role. To do this, you must first record applications against their permission checks and then add them to your role menu.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
In this part, the concentration is on a deeper level, namely directly in the SAP® system.
To implement this requirement, you can use the BAdI BADI_IDENTITY_UPDATE.