AUTHORIZATIONS IN SAP SYSTEMS
Customising User and Permissions Management
The change management process in the SAP® environment can be quite complex. Since program changes are usually transported into the production system, which can potentially have an impact on the annual financial statements, the audit of the process is an essential part of the annual financial statement audit. For this reason, it must be ensured that the process documentation is up-to-date and complete. It must also be ensured that appropriate classifications are defined for various types of change. This is because the process may subsequently differ for each classification. For example, the extent of the test and release steps varies depending on the criticality of the change, and they may even be shortened considerably for low-risk changes. However, it is crucial to justify this in a comprehensible manner. In the change management process, a sufficient test and release phase should be set up by the responsible department. This process step must also be documented in a comprehensible manner, even if it is not always easy to obtain the necessary evidence from the departments. In this process in particular, it is crucial that a clear dual control principle is established, which ensures that the developer is not also the person who ultimately carries out the transport into the productive environment. In preparation, the documentation should therefore be checked for completeness and up-to-dateness and, in a further step, whether the process defined in it has also been followed throughout the year.
Most client programmes are additions to the standard functionalities or variations of the same. Therefore, when you create your own programmes, you can follow the eligibility checks of the standard programmes or reuse the permissions checks used there.
Application Permissions
You have an organizational structure that includes 4 hierarchical levels - authority, department, unit, functional area). The authorization concept in your organization states that access (processing) to Records Management objects should be allowed for an employee only within his/her own organizational unit. However, the authorization check should only take place on three levels. So if a unit is subdivided into further functional areas, all employees of the unit and the functional areas should have the same authorizations. Since department 2 and department 3 work very closely together, employees of department 2 should be able to read all files, transactions and documents of department 3 and vice versa.
In principle, the SAP_NEW permission should not be granted in the production system. The Profiles tab displays the generated profiles in the user master record that are associated with a specific user. Here you can also assign manually created permission profiles from the transaction SU02 - even without direct role mapping. In principle, the recommendation is to use the profile generator (transaction PFCG) to generate authorisation profiles automatically. Special caution is taken when you enter generated permission profiles directly on the Profiles tab, as these assignments will be deleted by matching user assignments with the transaction PFUD if no entry is on the Roles tab for the assignment. You have probably assigned SAP_ALL and SAP_NEW to users for whom there should be no restrictions in the SAP system. But what are these two profiles different from each other and why are they necessary?
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
To do this, select the appropriate entries in the Category and Transport fields and check the Current setting option.
These in-house developments often present serious security vulnerabilities because they have insufficient authorization checks in the coding.