Solution approaches for efficient authorizations
A concept for SAP authorizations prevents system errors and DSGVO violations
The logging takes place in both the central system and the subsidiary systems. If the change documents are to be read for the attached subsidiary systems, the subsidiary systems must also be at the release and support package status specified in SAP Note 1902038. In addition, RFC users in their daughter systems need permission to read the change documents using the S_USER_SYS authorization object with the new activity 08 (Read the change document).
Once the programme implementation and documentation have been completed, a functional test will always follow. A corresponding eligibility test should not be forgotten. The permission test must include both a positive and a negative permission test.
SAP S/4HANA® Launch Pack for Authorizations
Here, the authorizations are either derived from the role menu (through the authorization default values (transaction SU24) or can also be edited manually in expert mode. The individual authorization objects are divided into object classes. For example, the object class AAAB (cross-application authorization objects) contains the authorization object S_TCODE (transaction code check at transaction start) with the authorization field value TCD (transaction code).
There are many advantages to using an authorization tool for companies. These include: - Managing authorization requests - Distributing and assigning authorizations - Auditing authorizations - Developing authorizations. With the help of authorization tools, it is possible, for example, to drastically reduce the effort required for role creation and authorization management through concrete assignment of SAP system roles.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
If a release change occurs, the adjustment of permissions is also required as a rework.
The password is generated depending on the password rules; This is done by first evaluating the settings in the security policy assigned to the user.