The Anatomy of SAP Authorization or Documentation on SAP Authorization Objects and Authorization Field Values
SAP S/4HANA® migration audit
Unlike the EWA, the SOS is able to list users that require extensive permissions. So you can maintain a whitelist. We recommend that you deal with the results of the SOS as follows: Verify that all identified users require critical permission. Complete the users who need this permission in the whitelist. Remove this permission from other users.
The critical permissions are defined in these steps: On the Entry screen, select the Critical Permissions button. You will now see two folder pairs in the dialogue tree: - Critical Permissions > Critical Permission - Critical Permission > Permissions Data. In Change Mode in the lower folder hierarchy, double-click the Critical Permission folder, and then select New Entries. In the right-hand pane of the screen, enter the appropriate data for the Eligibility, Text, Colour, and Transaction Code fields. Save your input. When saving, you are asked for a customising job. Please specify it accordingly. Select the entry you just created and double-click to open the Permissions Data folder to maintain the permissions data. Then create a variant. To do this, double-click the Variants to Critical Permissions folder and select New Entries. Enter the name and description of the variant and save your input. Now assign the identifier of the created critical permission to the variant. To do this, select the variant and then double-click in the Variants subfolder to get critical permissions > critical permissions in the input mask. Now click on New Items and select your variant from the list - in our example ZB01. Then save your input. Finally, you can run your report variant with critical permissions. To do this, go back to the RSUSR008_009_NEW entry screen and select the critical permissions option in the variant name pane. Now use the Value Help to select and run the variant you just created.
Compensating measures for segregation of duties conflicts
Many companies are currently converting their current SAP systems from an ERP state to an SAP S/4HANA system. Through this conversion, many technical and also organizational components come upon the respective companies. The time factor for determining, organizing and implementing the necessary components should not be underestimated. The area of security is often neglected in thought, but can lead to major problems and possibly image-related damage - and resulting financial losses - in retrospect. For this reason, the implementation of a comprehensive authorization concept should be considered as early as possible in the project phase, as several components are intertwined here.
The high manual maintenance effort of derived roles during organisational changes bothers you? Use the variants presented in this tip for mass maintenance of role derivations. Especially in large companies, it often happens that a worldwide, integrated ERP system is used, for example, for accounting, distribution or purchasing. You will then have to limit access to the various departments, for example to the appropriate booking groups, sales organisations or purchasing organisations. In the permission environment, you can work with reference roles and role derivations in such cases. This reduces your administrative overhead for maintaining functional permissions and reduces maintenance work for role derivations to fit the so-called organisational fields. However, maintaining the organisational fields can mean enormous manual work for you, as the number of role derivations can become very large. For example, if your company has 100 sales organisations and 20 sales roles, you already have 2,000 role outlets. Here we present possible approaches to reduce this manual effort.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
This data remains associated with the users and remains effective until it clears a user synchronisation with the Cleanup option (transaction PFUD).
Technical users are users who perform technical tasks in the database.