SAP authorizations: Recommendations for setting up, monitoring and controlling
Trace after missing permissions
When displaying or posting receipts in SAP Finance, are the standard eligibility checks insufficient? Use document validation, BTEs, or BAdIs for additional permission checks. The posting of documents, and often their display, is protected by standard permission checks; but they may not meet your requirements.
In this article, I show you with which transaction you can easily and quickly run the authorization trace in SAP ERP or SAP S/4HANA. The displayed result provides a good overview of the involved authorizations. In this course, existing roles and profiles in authorization management (transaction PFCG) can be extended. In addition, the authorization trace is useful for maintaining authorization default values (transactions SU22 and SU24).
SAP Security Automation
The role concept provides that each user can only process the tasks to which he is authorized. It is developed across departments and must protect sensitive data from unauthorized access. A clear role concept enables a modular structure of authorizations without having to create separate roles for each user.
So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.
Well-maintained suggestion values are extremely helpful for creating PFCG roles. We will give you a rough guide as to when it makes sense to maintain suggestion values. SAP provides suggested values for creating PFCG roles in the USOBT and USOBX tables via upgrades, support packages, or hints. These suggestion values include suggested values for permissions of SAP default applications that can be maintained in PFCG roles. Suggestion values are supplied not only for transaction codes, but also for Web Dynpro applications, RFC function blocks, or external services. You can customise these suggestion values to suit your needs. However, this does not happen in the supplied tables, but in the USOBT_C and USOBX_C customer tables. Care is carried out in the transaction SU24.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
The developer has to include an authorization check exactly for this object in the program code.
For information on the validity of the PFCG_ORGFIELD_ROLES report, see SAP Note 1624104.