Sustainably protect your data treasures with the right authorization management
FAQ
How is it possible to jump from one transaction to another without checking the eligibility for the target transaction? With the CALL TRANSACTION statement! In this tip, we will explain how you can grant permissions for jumps from one transaction to another using the ABAP CALL TRANSACTION command, or actively determine which checks to perform. The CALL TRANSACTION statement does not automatically check the user's permission to perform the invoked transaction. If no verification takes place in the invoked programme, it must be installed in the calling programme by adding additional features for the eligibility check.
Identify the user master record in the Active Directory associated with the user ID that you are creating in the SU01 transaction. To do this, search within the Active Directory for a user master set for which the user ID you are looking for is entered as the SAP user name. Next, fill in the transaction SU01 fields with the data from the Active Directory User Set.
Identify Executable Transaction Codes
The evaluation of the licence data via the ZBV with the report RSUSR_SYSINFO_LICENSE provides a result list with the following contents: Contractual User Type - This column contains the actual local user types from the ZBV subsidiary systems. Value in Central - This column contains the central user type from the ZBV that is stored for the respective subsidiary system to the user.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
Of course, you can also use the data obtained with the permission trace (with filter for the S_DATASET authorization object) to express permissions on the object itself. In any case, you should also use the values obtained for the PROGRAM field. In this way, you exclude misuse by modified copies of ABAP programmes. This limitation of access programmes already represents a security gain, even if you do not want to restrict access to paths and files.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
If you are using security policy in your system, you can use the RSUSR_SECPOL_USAGE report to get an overview of how security policy is assigned to users.
For example, you can log failed RFC calls system-wide, delete users, or log all activities of the default user, DDIC.