SAP Authorizations Unclear responsibilities, especially between business and IT

Direkt zum Seiteninhalt
Unclear responsibilities, especially between business and IT
THE "TOP SEVEN"
In such a case the last error is displayed in SU53 or the display is empty. Then you can't avoid analyzing the error message of the transaction. One more tip in the end: Instruct the user to take the screen shot with , this will put the whole active window on the clipboard and you can see which transaction, system and context of the transaction it is. Smaller "SnagIt "s are mostly useless and lead to unnecessary queries.

There are many advantages to using an authorization tool for companies. These include: - Managing authorization requests - Distributing and assigning authorizations - Auditing authorizations - Developing authorizations. With the help of authorization tools, it is possible, for example, to drastically reduce the effort required for role creation and authorization management through concrete assignment of SAP system roles.
Consolidate user-level role mapping
The authorization check for the authorization objects PS_RMPSORG and PS_RMPSOEH runs as follows following a user entry: The system determines the organizational unit to which the user is assigned. Starting from this organizational unit, the system creates a list of all organizational units that are superior to the organizational unit determined in the first step in the hierarchy. The system determines the set (M1) of all organizational objects that are assigned to these organizational units. The system determines the organizational unit to which the object to be processed is assigned (corresponds to the lead organizational unit in the attributes of the object to be processed). Starting from this lead organizational unit, the system creates a list of all organizational units that are superior to the determined organizational unit within the hierarchy. The system determines the set (M2) of all organizational objects assigned to these organizational units. The system forms the intersection (from M1 and M2) of the matching organizational objects of the user and the object to be processed. The system determines the organizational levels that match for the user and the object being processed. Once a matching organizational level is found, the system performs the authorization check for the other fields of the authorization object (e.g., type of object or activity); if the system cannot determine a common organizational level, processing is rejected. If the user is allowed to perform the requested activity, processing is allowed; otherwise, the system rejects processing.

In contrast to storing passwords in the form of hash values, the user ID and password are transmitted unencrypted during the login of the client to the application server. The Dynamic Information and Action Gateway (DIAG) protocol is used, which may look somewhat cryptic but does not represent encryption. In addition, there is no cryptographic authentication between the client and the application server. This applies not only to communication between the user interface and the application server, but also to communication between different SAP systems via Remote Function Call (RFC). So, if you want to protect yourself against the access of passwords during the transfer, you have to set up an encryption of this communication yourself.

Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.

To do this, select the appropriate entries in the Category and Transport fields and check the Current setting option.

The ability to create this role with the report REGENERATE_SAP_APP exists after inserting the SAP note 1703299.
SAP Corner
Zurück zum Seiteninhalt