Deleting versions
What are the advantages of SAP authorizations?
The authorisation concept in SAP ERP does not normally allow to limit permissions to individual financial years. However, this is particularly relevant for tax audits. As of 1 January 2002, the electronic tax audit was enshrined in law in § 147 (6) of the German Tax Code. The opinion of the Finance Administration is in the BMF letter of 16.07.2001 (BStBl. 2001 I)"Principles on data access and the verifiability of digital documents"(GDPdU). The electronic control check can be performed in Germany on three types of access: Immediate access: The tax authority shall have the right to inspect the stored data (read-only access) and to use the taxpayer's hardware and software to verify the data, including the master data and links. Mean Access: The tax authority may require the taxable person to perform the read-only processing of the data in accordance with its specifications. Volume Release: Alternatively, the tax administration may require the taxable person to have the stored documents available to it for evaluation on a machine-usable medium.
If you have an older SAP NetWeaver release than 7.00 installed, only two possible values for the customising switch BNAME_RESTRICT are available after the implementation of SAP Note 1731549. The switch is NO, and you can switch it to ALL, so that the switch takes on the same functionality as in the higher releases.
Background processing
SAP Note 1707841 ships an extension to the system trace in the STAUTHTRACE transaction, which enables the permission trace to be used on all or on specific application servers. To select the application servers on which to start the trace, click the System Trace button. Now select the application servers in the list on which you want to run the system trace and start the trace with a click on Trace. In the evaluation of the Permission trace, an additional column named Server Name appears, showing you the name of the application server on which the respective permission checks were logged.
The valid programmes or transactions are stored in the SAP TPCPROGS delivery table, but do not follow a uniform naming convention. Part of the transaction code (e.g. AW01N), part of the report name (e.g. RFEPOS00), or the logical database (e.g. SAPDBADA) is relevant here. Logical databases (e.g. SAPDBADA, SAPDBBRF) are basic data selection programmes and are particularly used in financial accounting. The permission checks, including the time period delimitation, are implemented in the logical database and work for all reports based on a logical database (e.g. the RAGITT00 grid is based on SAPDBADA and the RFBILA00 balance sheet report is based on SAPDBSDF). When you copy the values from the TPCPROGS table, the TPC4 transaction is quickly configured.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
After successful implementation of your permission check, the new authorization object for your application must be maintained in transaction SU24.
You can set the end of a user's validity by clicking the corresponding options for "today" or "yesterday".