Retain the values of the permission trace to the role menu
Our services in the area of SAP authorizations
Together with you, we develop suitable authorizations for your systems and processes. In workshops with your departments, we create concepts to assign the required rights to employees. The goal is to define so-called job roles, which represent job profiles at the job level.
You should therefore enforce cryptographic authentication and communication encryption by setting up Secure Network Communication (SNC). SNC provides a strong cryptographic authentication mechanism, encrypts data transmission, and preserves the integrity of the transmitted data. For some time now, SNC is freely available without a SSOMechanism (SSO = Single Sign-on) for SAP GUI and the RFC communication of all SAP NetWeaver customers. You should always implement SNC between SAP GUI and application server, as this communication can also run over open networks. For RFC communication, you need an SNC implementation if you think the data transfer could be intercepted.
Create order through role-based permissions
When it comes to preparing for the auditor, it should definitely be checked whether all critical authorizations, as well as the important parameters, have been correctly assigned or set up in SAP®. The specifications for this should all be defined in the authorization concept documented in writing and must also be consistent with this. In this context in particular, however, it is not always easy to check all the essential points using the SAP® standard on-board tools. This is where the experienced auditors at IBS Schreiber GmbH can provide support.
Organisation levels ensure more efficient maintenance of the eligibility roles. You maintain them once in the transaction PFCG via the button Origen. The values for each entry in this field are entered in the permissions of the role. This means that you can only enter the same values for the organisation level field within a role. If you change the values of the individual fields in the authorization objects independently of the overarching care, you will receive a warning message that you will no longer be able to change this field by clicking the Ormits button and that this individual value will be overwritten when you adjust derived roles. Therefore, we strongly advise you not to carry out individual maintenance of the organisation level fields. If you adhere to this advice, as described above, there can always be only one value range for an organisation level field. For example, the combination of displaying all posting circuits and changing a single posting circle within a role cannot be implemented. Of course, this has implications if you want to upgrade a field to the organisation level. A field that has not previously served as an organisational level can include such entries with different values within a role. You must clean up these entries before you declare a field as an organisation level. In addition, the definition of a field as an organisational level also affects the proposed permissions values of the profile generator.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
Think of it as a blueprint or a flow rule for how to create new derived roles.
The valid programmes or transactions are stored in the SAP TPCPROGS delivery table, but do not follow a uniform naming convention.