Rights-based workflows in accounting
What will be the SAP Basis trends in the next few years?
Mentioning the SUM tool leads us to another part of SAP Basis: system updates and upgrades. Since SAP software receives updates from SAP at regular intervals - in the case of R/3 in the form of SPS (Support Package Stacks) and in the case of S/4HANA in the form of FPS (Feature Pack Stacks) - a large part of an SAP Basis administrator's job is to import these packages into the SAP system.
If you now want to change the permission data, you will be asked for values for the appropriate organisation levels. First enter a tilde (~) and define the value later in the derived roles. Maintain the permissions you want and then generate the master role. Adding the organisational level to the master role Step 2: Define derived roles Create derived roles Assign the master role After you have created the master role, it is the derived roles that are in the process. To do this, re-enter a suitable role name via the PFCG. In our example, it is called "findepartment_d01". For a better overview, it is usually useful to name and number the derivatives after the master roles. You can also define the roles according to a different scheme. After you have created the role, you must then enter the master role in the Derive from Role field in the Description tab. Confirm the Auto Enquiries. Customise the Organisation Levels Now go to the "Menu" tab. There you can see that the data from the master role was automatically copied. Since the role has not yet been generated, the Permissions tab is currently highlighted in red. Therefore, call "Change Permissions Data". The first call should automatically open a dialogue to maintain the organisational levels, as they are still empty. If this is not the case, or if you would like to adjust the organisational levels again in a later case, you can also access them via the button Ordende (see screenshot). If everything worked well, you can now see that the permissions were also automatically taken from the master role. If you generate the role, the permission tab will also appear green. Congratulations, you have successfully created a derived role! Repeat step 2 with the additional derivatives to adjust the organisation levels accordingly.
Connection to cloud services
A secure SAP system does not only include a good role concept. It is also necessary to check whether a user should (still) have a specific role. Regular verification of role assignment is called recertification. In this blog post, I'd like to introduce you to the need for recertifications and our own tool, EasyReCert. The need for recertification - scenarios: Example 1: The "apprentice problem" Imagine the following scenario: A new employee (e.g. apprenticeship or trainee) will go through various departments as part of his or her training and will work on various projects. Of course, an SAP User will be made available to your employee right at the beginning, which is equipped with appropriate roles. As each project and department passes, the employee repeatedly needs new permissions to meet the requirements. After the employee has successfully completed his or her induction and is now in a permanent position, he or she still has permissions that are not necessary to perform his or her duties. This violates the principle of "last privilede" and represents a potential security risk for your company. Example 2: The change of department The change of department is one scenario that probably occurs in every company. If a change of department does not automatically involve a complete reallocation of roles and the employee simply takes his old permissions with him, critical combinations of permissions can occur very quickly. For example, an employee who has permissions in accounts payable and accounts receivable violates the SoD ("Segregation of Duties") principle and poses a potential security risk to your company. Recertification as part of a revision: The two examples above show that a regular review of role allocation identifies potential security risks for your business and can be addressed.
A Conflict Resolution Transport (CRT) is used only for add-ons, such as IS-IS or IS-OIL. It is used to eliminate conflicts that may arise between the different support packages and an add-on. Note that a CRT that applies to an add-on release also resolves all conflicts with previous releases of that add-on. In addition, a CRT may include other corrections for the corresponding add-on. A CRT can therefore always be a special add-on support package. Settings for SPAM With Additional Settings, you can access a dialogue box where you can specify general settings for the SAP Patch Manager (SPAM). These settings affect the behaviour of downloading and loading support packages of the different types equally. SPAM updates are an exception; certain settings are specified for these. You can toggle the following properties on and off: Transmission Monitor If you enable the Transmission Monitor, you can monitor the download of the support packages from the SAPNet - R/3 frontend with a graphical monitor. Otherwise, you will only get a progress bar. Scenario Choosing the scenario determines which actions should be performed while the Support Packages are being played in. The default scenario is used to fully deploy support packages; All steps are performed. The test scenario allows you to determine whether a modification match is required or whether conflicts occur that should be resolved before the support packages are loaded. The test scenario does not import data and objects into your SAP system. There is no test scenario for SPAM updates. The choice is ignored when a SPAM update is introduced. Rebuild data files You can specify whether the data files from the EPS packages will be reunzipped each time you try to play. In principle, this is the case.
Tools such as "Shortcut for SAP Systems" are extremely useful in basic administration.
Parameters for Private Storage Last but not least, there is the private storage, which is only used when the user context of a work process has used up all the other storage areas available to it, i.e. its share of the extended memory and its rolling area.
If a person's role is now assigned permission for this parameter transaction, it can open the specified view above it and does not have the ability to enter all possible views in the SM30.