SAP Authorizations What to do when the auditor comes - Part 2: Authorizations and parameters - NW Admin

Direkt zum Seiteninhalt
What to do when the auditor comes - Part 2: Authorizations and parameters
Analysis and reporting tool for SAP SuccessFactors ensures order and overview
Despite progressive use of web interfaces in the S/4HANA context, batch processing for mass data is still required. However, our experience from customer projects shows that only very few authorization administrators know how to correctly authorize the scenarios. SAP OSS Note 101146 provides a good overview here. In this blog post, we would like to summarize the context for practical use.

The changes made by inserting the note or upgrading to the above support packages do not only affect the SAP_ALL profile. While it remains possible to assign the full RFC_SYSID, RFC_CLIENT, and RFC_USER permissions in principle; However, this can only be done manually in the PFCG transaction through the dialogue maintenance of the fields. In this case, another dialogue box will open, indicating the security risk. You must confirm this window. From this change of behaviour of the SAP_ALL profile, it follows that all automatic methods for taking over the overall authorisation are no longer available in the fields of the S_RFCACL authorization object.
Error analysis for authorizations (part 1)
However, the greatest advantage is the consistent use of reference users for performance. The use of reference users reduces the number of entries per user in the user buffer, i.e. in the USRBF2 table. This is because the entries in the user buffer only have to be stored once for the reference user and not more times for the inheriting users. This reduction in the table contents of the USRBF2 table will improve performance when performing eligibility tests.

So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.

You can disable this new behaviour for the SAP_ALL profile by setting the customising switch ADD_S_RFCACL to the value YES in the table PRGN_CUST. If the ADD_S_RFCACL entry is YES, SAP_ALL still contains the total permissions for the S_RFCACL authorization object.

However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".

The critical permissions are defined in these steps: On the Entry screen, select the Critical Permissions button.

It happens again and again that there are special requirements for password rules, password changes and login restrictions for different users in your SAP system.
Zurück zum Seiteninhalt