SAP Authorizations Detect critical base permissions that should not be in application roles

Direkt zum Seiteninhalt
Detect critical base permissions that should not be in application roles
Set up permission to access Web Dynpro applications using S_START
A separate programme - a separate permission. What sounds simple requires a few steps to be learned. Do you want to implement your own permission checks in your own development or extend standard applications with your own permission checks? When implementing customer-specific permissions, a lot needs to be considered. In this tip, we focus on the technical implementation of the authorisation check implementation.

Critical permissions are permissions that allow you to view or modify security-related configurations in the SAP system, or perform activities that are critical from a legal or business perspective. This also includes access to sensitive data, which are e.g. personal. Critical permissions are really critical in themselves and pose a risk only if they get into the wrong hands. In any case, when using critical permissions, you should observe the principle of restricting rights. There are no general definitions of risk; Therefore, each company should define the compliance requirements for itself. Identifying critical SAP permissions is an important task and should be performed in every company. Particular attention should be paid not only to the award of transactions but also to the value characteristics of each of the eligible objects. It is important to mention that preventive regular inspections do not have to be burdensome. However, they will lead to greater transparency and security.
Authorization concepts in SAP systems
I will go into more detail on the subject of further training in the SAP environment at the next opportunity. As a small anticipation, I may refer here to some SAP blogs on the subject of SAP Basis or also the VideoPodcast "RZ10 LIVE SAP BASIS AND SECURITY" from rz10.de picks up topics in the area of authorizations again and again and is instructive here :-).

The high manual maintenance effort of derived roles during organisational changes bothers you? Use the variants presented in this tip for mass maintenance of role derivations. Especially in large companies, it often happens that a worldwide, integrated ERP system is used, for example, for accounting, distribution or purchasing. You will then have to limit access to the various departments, for example to the appropriate booking groups, sales organisations or purchasing organisations. In the permission environment, you can work with reference roles and role derivations in such cases. This reduces your administrative overhead for maintaining functional permissions and reduces the maintenance effort for role derivations to adapt the so-called organisational fields. However, maintaining the organisational fields can mean enormous manual work for you, as the number of role derivations can become very large. For example, if your company has 100 sales organisations and 20 sales roles, you already have 2,000 role outlets. Here we present possible approaches to reduce this manual effort.

However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".

Now, go to the RZ11 transaction, enter the auth/authorisation_trace parameter name in the selection box, and click View.

Sometimes, new transaction codes replace old transaction codes.
SAP Corner
Zurück zum Seiteninhalt