Evaluation of the authorization check SU53
Starting Web Dynpro ABAP applications
In most cases, customizing is performed using transaction SPRO. However, this is only the initial transaction for a very comprehensive tree structure of further maintenance transactions. Most customizing activities, however, consist of indirect or direct maintenance of tables. Therefore, a random check of the authorization structure in this environment can be reduced to table authorizations. In the case of delimited responsibilities within customizing (e.g. FI, MM, SD, etc.), attention should therefore be paid here to an appropriate delimitation within the table authorizations. Independent of assigned transaction authorizations within customizing, a full authorization on table level combined with a table maintenance transaction such as SM30 practically corresponds to a full authorization in customizing. Normal customizing by user departments generally refers to client-specific tables. Access to system tables should therefore be restricted to basic administration if possible.
You can schedule background jobs in the SM36 and SA38 transactions, but also in a variety of application transactions. It is important to know that special permissions are not necessary for the installation, modification, etc. of your own jobs. An exception is the release of background jobs; it is protected by a permission. Permissions are also required for the activities on other users' background jobs, and the following authorization objects are available in SAP backend processing: S_BTCH_JOB controls the access rights to other users' jobs. S_BTCH_NAM allows you to schedule programmes under a different user ID. S_BTCH_ADM grants parent permissions that are usually only required by administrators.
RSUSR003
SAP authorizations control the access options of users in an SAP system, for example to personal data. Managing this access securely is essential for every company. This makes authorization concepts, authorization tools and automated protection of the SAP system all the more important.
If RFC function modules are called via RFC connections (for example, from an RFC client program or another system), an authorization check is performed on authorization object S_RFC in the called system. This check checks the name of the function group to which the function module belongs. If this check fails, the system also checks the authorizations for the name of the function module. Configure this check with the auth/rfc_authority_check parameter.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
This is now easier by using the security policy in combination with the login/server_logon_restriction profile parameter.
Instead of small, modular, job-specific roles, existing roles are continually expanded and assigned to different employees in different departments.