SAP Authorizations Define security policy for users

Direkt zum Seiteninhalt
Define security policy for users
Roles and permissions in SAP SuccessFactors often grow organically and become confusing
In the SCUA transaction, which you typically use to create or delete a ZBV distribution model, you can temporarily disable a subsidiary system. This option is disabled by default. To enable it, you must make changes in the customising of the PRGN_CUST table. Open the PRGN_CUST table either directly or via the customising in the SPRO transaction in the respective subsidiary system.

You can disable this new behaviour for the SAP_ALL profile by setting the customising switch ADD_S_RFCACL to the value YES in the table PRGN_CUST. If the ADD_S_RFCACL entry is YES, SAP_ALL still contains the total permissions for the S_RFCACL authorization object.
You can maintain the SE97 transaction to determine whether or not a transaction should start at origin. The information in this transaction comes from the TCDCOUPLES table and is included. You have the possibility to amend or supplement the proposals listed here. When the CALL TRANSACTION statement is invoked, additional transaction code pairings are written to the TCDCOUPLES table by activating the authorisation trace through the auth/authorisation_trace profile parameter. The check mark indicates whether the test is carried out. By default, it is set to unkempt after performing the trace. If the check mark is set to YES, the transaction startup permission is performed with the S_TCODE object. If applicable, other permissions maintained by the SE93 transaction are also checked when the transaction is called.

Suggested values are maintained in the transaction SU24 and delivered through the transaction SU22. Read more about the differences between these two transactions. Maintaining suggestion values via the SU24 transaction is useful if you want to reflect your own requirements or if the values provided by SAP do not meet customer requirements (see Tip 37, "Making sense in maintaining suggestion values"). These proposed values form the basis for the role maintenance credentials in the PFCG transaction. As you know, the suggested values provided by SAP are in the transaction SU22, which are delivered during reinstallation or upgrades as well as in support packages or SAP hints. What is the difference between transactions and how are they used correctly?

For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.

The Central User Administration (ZBV) is used to create users, assign roles and distribute them to the respective subsidiary systems.

Access to tables and reports should be restricted.
SAP Corner
Zurück zum Seiteninhalt