Security Automation for HR Authorizations
The AL08 transaction displays all logged-in users and their application servers. In the Server Name column, you can see which application server the user is logged on to, and which has the permission issue. Switch to this application server by calling the SM51 transaction and double-clicking the application server you are looking for. On the application server that is now active, run the permission trace as usual and review the evaluation.
When creating the permission concept, a naming convention is defined for PFCG roles. Every customer has his own preferences or specifications, which must be adhered to. According to our project experience, some naming conventions are particularly attractive. Naming conventions for PFCG roles can be very diverse. You will have noticed that even the roles provided by SAP do not correspond to a uniform naming convention. So there are roles whose names start with SAP_. There are also roles, such as for the SRM system, that start with the /SAPSRM/ namespace. In this tip we would like to give you some hints and criteria that you can use to help define a naming convention of PFCG roles.
Use Custom Permissions
With the SAP NetWeaver 7.03 and 7.30 releases, Web Dynpro ABAP applications (as well as other Web Dynpro ABAP functions, see SAP Note 1413011) have been tested for permission to launch such applications. The authorization object that controls this startup permission is S_START. This authorization object is used in the same way as the S_TCODE authorization object.
On the topic of SAP authorizations and SAP S/4HANA, I can recommend the SAP online course by Tobias Harmes as blended learning from Espresso Tutorials for SAP administrators, ABAP developers and people who are currently or will be dealing with SAP authorizations. The online course covers the following topics: - Introduction to the course - Why are SAP authorizations actually important? - How do SAP authorizations work technically? - Developing and maintaining roles - SAP Fiori authorizations/tile authorizations in S/4HANA - Developing authorization checks.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
Custom customising tables are created and standard programmes are extended.
In our example table, setting the switches FS_NOREAD = X and FS_NOWRITE = X for all paths prohibits reading and writing.