ACCESS CONTROL | AUTHORIZATION MANAGEMENT FOR SAP®
Lack of know-how
In the TPC6 transaction, set the periods to be reviewed. In the example shown in the figure below, a group of auditors from North Rhine-Westphalia would be active for the accounting area or cost accounting area (OrgUnit) 1000. In the 2000 accounting area and the 2000 HR accounting area, a Hessen-based payroll tax auditor group would operate.
Login with user and password of another application (such as an AD or portal) In this case, the Web application must be able to obtain a unique SAP user ID to the login data. You should choose an application where the user does not easily forget his password.
Customise Permissions After Upgrade
Typically, users access a table's data through applications rather than directly. If so, you should take precautions and restrict access to sensitive data. End users typically do not access table-level data directly, but the data is displayed in business applications and their display is restricted in context by means of entitlement checks. However, there are cases where generic access to tables via the SE16, SE16N, SM30, SM31 or SM34 transaction is required for administrators, key users, verifiers, etc. For example, a verifier should have read access to all customising tables. However, you do not want to display security-related tables. Key users should be able to access certain reports regularly, but only read information relevant to their work. There are several ways to restrict access to tables by using table tools. This means that users can only access tables or table contents that they want to see. However, we would like to point out that the granting of permissions for these tools in the production environment is considered to be critical to security, since it is very easy to allow access to large amounts of sensitive data in the case of erroneous or excessive permissions. Therefore, only apply these permissions in a restricted way.
The SAP authorization concept protects transactions, programs, services and information in SAP systems against unauthorized access. Based on the authorization concept, the administrator assigns users the authorizations that determine the actions this user can perform in the SAP system after logging on and being authenticated.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
Delete invalid suggestion values: This function corrects the suggestion values if the permission fields contain the entry or * and the actual permission values.
Not uncommon are subsequent requirements from the area of compliance (SOX or similar) or the increased need for protection.