THE "TOP SEVEN"
Authorization tools - advantages and limitations
Small companies would theoretically benefit from an authorization tool. However, in many cases the tools are too costly, so the cost-benefit ratio is usually not given.
When the FIORI interface is called up, different roles (Fiori groups) are associated with factually related FIORI tiles. As an example, here is the group Master Data in which the FIORI tile "Manage Cost Center" can be found.
Organisationally restrict table editing permissions
The daily business of an authorization administrator includes the checks and analyses of critical authorizations and combinations in the system. The focus is on users and roles in the respective clients and system rails. The SAP standard report RSUSR008_009_NEW is suitable for this purpose. You must first create corresponding check variants and authorization values for critical authorizations or combinations either using the program itself or transaction SU_VCUSRVARCOM_CHAN. These then correspond to your internal and external security guidelines. You can then run the report with your respective check scope and the corresponding critical authorization or combination variant and check in which roles or users such violations exist. This serves to protect your entire IT system landscape and should be carried out periodically.
When it comes to preparing for the auditor, it should definitely be checked whether all critical authorizations, as well as the important parameters, have been correctly assigned or set up in SAP®. The specifications for this should all be defined in the authorization concept documented in writing and must also be consistent with this. In this context in particular, however, it is not always easy to check all the essential points using the SAP® standard on-board tools. This is where the experienced auditors at IBS Schreiber GmbH can provide support.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
This is exactly what we are using.
There can be multiple permissions for each authorization object.