Extend permission checks for documents in FI
Optimise trace analysis
Assigning clear authorizations to employees is not a sign of mistrust, but offers a high level of protection - both for the company and for the employees themselves. By assigning SAP authorizations on a role-specific basis, each employee is given access to the system according to his or her task.
If you want your own developments to meet your security requirements, just like the standard, you must assign table permission groups to the custom tables. Custom tables, or SAP standard tables that you want to protect in particular, belong to separate, if applicable, customer-specific table permission groups. If extensive permissions are to be granted for system administration or certain applications, this is done with the S_TABU_DIS authorization object for the table permission group. Since many standard tables do not have a table permission group assigned to them and therefore automatically end up in the table permission group &NC&, you should restrict access to this table permission group. For example, certain tables such as T000 (clients) are in a large table permission group (SS: RS: SAP control); therefore, it is better to restrict access via a separate table permission group. You should also always assign custom tables to a table permission group, otherwise they will also be assigned the table permission group &NC&. Therefore, we will explain below how you can create table permission groups and map tables.
Implementing CRM Role Concept for External Services
Of course, you can also use the data obtained with the permission trace (with filter for the S_DATASET authorization object) to express permissions on the object itself. In any case, you should also use the values obtained for the PROGRAM field. In this way, you exclude misuse by modified copies of ABAP programmes. This limitation of access programmes already represents a security gain, even if you do not want to restrict access to paths and files.
Structural authorizations work with SAP HCM Organizational Management. They primarily define who can be seen, but not what can be seen, based on evaluation paths in the org tree. Therefore, structural authorizations should only be used together with general authorizations. The determination works via a so-called authorization profile. In this profile, the evaluation paths are used to define how to search on the org tree. Function modules can also be stored, which can be used to determine objects from Organizational Management using any criteria. This makes the structural authorizations very flexible.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
Proceed as follows: With the transaction SU02, you remove all old, individual profiles from the SAP_NEW composite profile, including the profile that belongs to the start release of your upgrade.
Now assign the reduced SAP_NEW permission profile to all users in the upgrade preparation system, ensuring that all users can work as usual.