SAP Authorizations Make sense in maintaining proposal values - NW Admin

Direkt zum Seiteninhalt
Make sense in maintaining proposal values
Prevent excessive permissions on HR reporting
In the SCUA transaction, which you typically use to create or delete a ZBV distribution model, you can temporarily disable a subsidiary system. This option is disabled by default. To enable it, you must make changes in the customising of the PRGN_CUST table. Open the PRGN_CUST table either directly or via the customising in the SPRO transaction in the respective subsidiary system.

In order for these FIORI apps/tiles and groups to be displayed, the corresponding authorizations must be made on the basis of a group and catalog assignment. These are assigned via specific groups, which in addition to the normal authorizations (such as create, change, display cost centers) also assign access to the appropriate FIORI Apps.
Maintain permission values using trace evaluations
The basic idea of the approach described below is to evaluate the previous usage behaviour (reverse engineering) for the definition of the required permissions. In the first step, you configure the retention time of usage data, because each SAP system logs the calls to bootable applications. This way, not only the user, at what time, what transaction, but also the user, which function block was called. These data are then condensed into daily, weekly and monthly aggregates and stored for a specified period. This statistical usage data is originally intended for performance analysis; You can also use them to determine the permissions you need. We described the configuration of the retention time of the statistical usage data in Tip 26, "Use usage data for role definition". Please also refer to our explanations on the involvement of your organisation's co-determination body in the storage and use of the statistical usage data. In addition to the settings described in Tip 26, you should also adjust the retention time for the RFC Client Profile (WO), RFC Client Destination Profile (WP), RFC Server Profile (WQ), and RFC Server Destination Profile (WR) task types using the SWNCCOLLPARREO Care View.

To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.


Configuration validation gives you an overview of the homogeneity of your system landscape. Typical criteria are operating system versions, kernel patch levels, and the status of specific transport jobs or security settings. The following security settings can be monitored using configuration validation: Gateway settings, profile parameters, security notes, permissions. As part of the comparison, you can define rules that determine whether the configuration is rule-compliant or not. If the configuration meets the defined values in the rule, it will be assigned Conform status. You can then evaluate this status through reporting.

For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.

For an authorization concept, a clear goal must first be defined that is to be achieved with the help of the concept.

This gives the authorization administrators more time to correct any errors that occur instead of having to search for them first.
NW BASIS
Zurück zum Seiteninhalt