Permissions and User Root Sets Evaluations
WHY ACCESS CONTROL
A typical application arises when a new SAP user is requested. The data owner now checks whether the person making the request and the person to be authorized are at all authorized to do so, what data would be affected, whether an SAP user already exists to whom new roles can be assigned and old ones revoked, whether data access can be limited in time, and so on.
This role is now available for you to assign to users. As a design-time object, you can transport this role via the HANA-owned Transport Service (HALM) or via the SAP Solution Manager with the CTS+ extension. After transport to the target system, this role is activated as a runtime object. You can assign HANA roles via both SAP HANA Studio and SAP Identity Management.
Risk: historically grown authorizations
In the area of group consolidation, an authorization concept ensures that no data can be deliberately manipulated, for example to change balance sheets. This can prevent significant financial or reputational damage to banks and stakeholders. Furthermore, access to financial data of subdivisions of a group, such as individual business units or companies, must be restricted to those employees who are allowed to access it because their current activities require it. As a result, a controller of a business unit, for example, can only view the consolidated figures of his business unit, but not the figures of the entire group. Further authorization roles are required, for example, for external auditors. These auditors check all the figures for the entire group, but may only have read access to this data.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
It is important that, if necessary, the database is converted to an SAP S/4HANA database. In addition, various technical system components must be analyzed and adapted to the new environment. But restructuring must also be carried out at the organizational level. For example, the "old", or current, authorization concept must be analyzed, evaluated and, if necessary, fundamentally revised.
Authorizations can also be assigned via "Shortcut for SAP systems".
Since correct inheritance can no longer occur in such cases, you need a way to reset incorrect values of the organisation levels in the PFCG roles.
We will explain how this works and what you need to consider.