SAP Authorizations Evaluate Permission Traces across Application Servers

Direkt zum Seiteninhalt
Evaluate Permission Traces across Application Servers
Introduction & Best Practices
An alternative to using the S_TABU_LIN authorization object is to create custom table views that make organisational delimitation easier to achieve. To do this, create a new view in the SE11 transaction and add the table to which the constraint will apply on the Tables/Join Conditions tab. The Selection Conditions tab allows you to specify your restrictive organisational condition in the form of a field and a field value. You then authorise all relevant users to access the view, which contains only data for your organisational restriction.

In the SAP standard, there is no universally applicable way to automate the mass maintenance of role derivations. We therefore present three possible approaches: 1) Approach to custom development 2) Automated mass maintenance using the Business Role Management (BRM) component of SAP Access Control 3) Use of a pilot note that allows a report for mass update of organisational values in rolls (currently available to selected customers).
Lack of definition of an internal control system (ICS)
By correcting SAP Note 1692243, you can now also use the report in a ZBV (Central User Management) environment; It is no longer limited to individual clients. If the role assignment of the ZBV in the SCUM transaction is set to global, it is sufficient if the correction is recorded in the central client. Then it is only possible to execute the report in the central client. Furthermore, you have the option to select the ZBV's subsidiary systems from the Receive System drop-down box in such a way that only the systems in which the role assignment is to be consolidated or deleted are taken into account. In the results list of the consolidated role assignment, you will now be listed in the ZBV-System column the subsidiary systems where consolidation or deletion took place.

In order to make a well-founded statement about the complexity and the associated effort, a fundamental system analysis is required in advance. The results obtained from this form an excellent basis for estimating the project scope and implementation timeframe.

However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".

You can see this call in your System Trace for Permissions in the Additional Information column for testing.

The report also shows which roles are assigned to which users and whether there are duplicates, for example of groups or authorizations.
SAP Corner
Zurück zum Seiteninhalt