Bypass Excel-based Permissions Traps
Permissions with Maintenance Status Changed or Manual
Authorizations in a company are usually not assigned to individuals, but to roles. A role describes jobs or positions within the organization. One or more persons can hold a role and thus have the access authorizations assigned to the role. The authorization profile (the number of authorizations) of a role contains all authorization objects that are required to execute the transactions. By means of a profile generator (transaction PFCG) the creation of the authorization profile can be automated in SAP.
On the topic of SAP authorizations and SAP S/4HANA, I can recommend the SAP online course by Tobias Harmes as blended learning from Espresso Tutorials for SAP administrators, ABAP developers and people who are currently or will be dealing with SAP authorizations. The online course covers the following topics: - Introduction to the course - Why are SAP authorizations actually important? - How do SAP authorizations work technically? - Developing and maintaining roles - SAP Fiori authorizations/tile authorizations in S/4HANA - Developing authorization checks.
User & Authorization Management with SIVIS as a Service
In Step 2b (Customised Proposal Values), you must manually adjust the entries that you manually changed in the SU24 transaction in the initial release. This will start the SU24 transaction in upgrade mode, and you can step by step through all applications and match the changes. If you have created custom organisational levels (ormits), you must restore them at this point using the PFCG_ORGFIELD_UPGRADE report. The report must be called for each organisational level. Only the organisation levels that you create are displayed through the Value Help. SAP Note 727536 lists questions and answers about the use of customer-specific organisational levels.
In most cases, customizing is performed using transaction SPRO. However, this is only the initial transaction for a very comprehensive tree structure of further maintenance transactions. Most customizing activities, however, consist of indirect or direct maintenance of tables. Therefore, a random check of the authorization structure in this environment can be reduced to table authorizations. In the case of delimited responsibilities within customizing (e.g. FI, MM, SD, etc.), attention should therefore be paid here to an appropriate delimitation within the table authorizations. Independent of assigned transaction authorizations within customizing, a full authorization on table level combined with a table maintenance transaction such as SM30 practically corresponds to a full authorization in customizing. Normal customizing by user departments generally refers to client-specific tables. Access to system tables should therefore be restricted to basic administration if possible.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
Without going too deeply into the subject, however, critical interfaces can be characterized by the following properties.
To ensure that processes are mapped securely and correctly, SAP authorizations must be regularly checked and reworked.