Preventing sprawl with the workload monitor
Check and refresh the permission buffer
The SAP authorization concept also maps the organization of authorizations within the SAP system. The organizational structure defines responsibilities and the authorization hierarchy, while the process organization specifies process steps and the activities and authorization objects required for them in SAP. The authorization concept must therefore be flexible enough to allow future changes in the organization to be implemented quickly and in compliance with the rules.
To establish an efficient and consistent structure in the area of SAP authorization management, function-related role and authorization assignments are the be-all and end-all. In addition, the existing authorization concept must be constantly analyzed for changes and security-relevant errors through proactive monitoring. This prevents negative and highly security-critical effects on your entire system landscape. To make this task easier for you, Xiting provides you with a comprehensive analysis tool, the Xiting Role Profiler. In addition, you can perform a basic analysis in advance, which will also be the main focus of this blog. The goal is to show you SAP standard methods with which you can already independently optimize your authorization and role administration.
Custom requirements
The call to your implementation of the BAdIs is the last step in the process of storing user data. This applies to all transactions or function blocks that make changes to user data. Therefore, the BAdI is also called during maintenance by the BAPI BAPI_USER_CHANGE. You use this BAPI when you implement a password reset self-service as described in Tip 52, "Reset Passwords by Self-Service." This enables encrypted e-mail delivery of initial passwords within a self-service framework.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
Are you using the result and market segment statements and need permission checks for combinations of characteristics and key figures not included in the standard? To do this, create specific authorization objects. You can define key figures and result objects (groups of characteristics) for the planning and information system in the result and market segment calculation (CO-PA). You may also want to control permissions by using these characteristics or key numbers. This cannot be reflected with the default authorization objects. Therefore, create authorization objects in the customising of the result invoice.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
To do this, enter the S_TABU_LIN authorization object with the organisational criterion you created.
Once a matching organizational level is found, the system performs the authorization check for the other fields of the authorization object (e.g., type of object or activity); if the system cannot determine a common organizational level, processing is rejected.