Features of the SAP authorization concept
FAQ
If an entry in transaction SE97 is correctly created, a permission check is performed in the same way as a transaction startup authorisation. This approach therefore requires an exact and complete configuration for each transaction that is invoked. The required effort and the space for errors are correspondingly large. The CALL TRANSACTION ABAP command does not cause a transaction startup permission check. Without a permission check, the ABAP programme could unintentionally allow users to access system resources. In many cases, such authorisation problems lead to a hidden compliance violation, because this means that the traceability of user actions in the SAP system is no longer guaranteed. A developer should not rely on the functionality of the SE97 transaction and therefore should include the possible permission checks in the code. Therefore, one of the following explicitly coded permission checks for the CALL TRANSACTION statement must be performed.
Transaction SE63 allows you to translate a variety of text in the SAP system. You can find the texts relevant to the permission roles by going to the Translation > ABAP Objects > Short Texts menu. In the Object Type Selection pop-up window that appears, select the S3 ABAP Texts node and select the ACGR Roles sub-point. You can now select the role in the following screen. You must note that the system expects the client to be prefixed, and the next step allows you to maintain the chunk in the target language. The variable AGR_TEXTS 00002 corresponds to the description of the role and the variable AGR_HIERT_TEXT 00001 corresponds to the description of the transactions contained therein. After you have saved the entry, the description of the role is also maintained in the target language, in our example in the English language and visible after the login. Select the source language correctly in the field.
Advantages of authorization tools
You can use the BAdI SMIME_EMAIL of the SMIME extension spot and implement the CERTIFICATE_RETRIEVAL and CERTIFICATE_SELECTION methods according to your requirements. This BAdI is called whenever an encrypted e-mail is sent. An extension allows you to search for a valid certificate at run time (for example, the one with the longest validity) to the recipient's email address in a source you defined. In the default implementation, the BAdI searches for the certificate in the Trust Manager's address book. For details on the availability of BAdIs, see SAP Note 1835509.
In the beginning, the FI and CO modules were separated from each other. Both modules have been combined by SAP as higher-level modules in the accounting area. The main reason for this is the tight process structure, which enables a smooth transition between the two modules. As a result, SAP FI and CO now only appear as the joint module SAP FICO.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
Which SAP user is actually allowed to access what? And how do two similar roles differ? Answers to these and other questions can be found here.
Adapting business processes to legal requirements requires control of users and authorizations.