Prevent excessive permissions on HR reporting
What are SAP authorizations?
You can create such an organisational matrix as an Excel file or in ABAP; This depends on how you want to read the data. When using a common standard solution (e.g. SAP Access Control), a corresponding maintenance view is usually offered. We first describe how you can provide automated mass care in the form of a custom development.
Armed with this information, it goes to the conceptual work. Describe which employee groups, which organisational units use which applications and define the scope of use. In the description, indicate for which organisational access (organisational level, but also cost centres, organisational units, etc.) the organisational unit per application should be entitled; So what you're doing is mapping out the organisation. It is also important to note which mandatory functional separation must be taken into account. This gives you a fairly detailed description, which in principle already indicates business roles (in relation to the system).
To use the trace data from the USOB_AUTHVALTRC table, first go to the change mode and then either click the SAP Data button or select Object > Add Objects from Trace > Local. The found authorization objects are imported from the table, but are not yet marked with any suggestion values. To maintain the suggestion values, click the Trace button. In the window that opens, select one of the new authorization objects and then select Trace > Permissions Trace > Local. The checked permission values will now be displayed. To apply these values, select Y Yes in the Suggest Status combo box and select the values you wish to display in the right pane of the window. Then click Apply. After confirming your entries, you confirm the Permissions field maintenance in the Permissions proposal maintenance by clicking on the green checkmark, so that the status of the Permissions object is green (maintained). Also continue with other authorization objects.
The SAP Note 1903323 provides a solution. The functionality is only provided via support packages for NetWeaver releases 7.31 and 7.40. This fix extends the naming conventions so that namespaces in the /XYZ/ format can be used up to a maximum of eight characters. In the development and creation of authorization objects, some functionalities of the SAP hint are extremely helpful, which we present in this tip.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
If you use configuration validation, we still recommend that you use the AGS Security Services, such as the EarlyWatch Alerts and SAP Security Optimisation Services, which we describe in Tip 93, "AGS Security Services." SAP keeps the specifications and recommendations in the AGS Security Services up to date and adapts them to new attack methods and security specifications.
You grant the members of an SAP project team the permissions they need to support the project.