Immediate authorization check - SU53
Analyzing the quality of the authorization concept - Part 1
Despite progressive use of web interfaces in the S/4HANA context, batch processing for mass data is still required. However, our experience from customer projects shows that only very few authorization administrators know how to correctly authorize the scenarios. SAP OSS Note 101146 provides a good overview here. In this blog post, we would like to summarize the context for practical use.
In our example, the end user logs on to an SCM system, but can also call ERP transactions from here. To have these ERP transactions available in SAP SCM, create a new PFCGE role in SAP SCM, e.g. ZS:XXXX:ERP_MENU. The ERP transactions that the user should have access to are added to the roles menu by selecting Apply Menus > From Other Role > Destination System. Now select the appropriate ERP system and then select the appropriate PFCG role from SAP ERP. You do not need a profile for this "menu role" because this role only includes the ERP menu. You can now sort the transactions in the Hierarchy pane by using drag and drop or by using the arrow keys as you need them in the NWBC.
User and authorization management
Authorizations are used to map the organizational structure, business processes and separation of functions. Therefore, they control the access options of users in the SAP system. The security of business data depends directly on the authorizations assigned. For this reason, the assignment of authorizations must be well planned and executed in order to achieve the desired security.
You can't keep an eye on everything. Therefore, avoid that your colleagues do not assign users to a user group, and thus ensure that the user master data maintenance permissions check is correct. You do not want a user without a user group to be able to be created in your SAP systems? Users without a user group can be changed by all administrators with permission for any user group. You should also prevent incomplete permission checks when assigning roles and profiles to users without a permission group. Because it is possible to assign roles and permissions to a user first, and then assign a user group that does not have permission to assign roles and profiles. Finally, do you want to change the user group for an existing user without having permission for the new user group? In the following section we will show you how to secure your user master data maintenance.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
Authorization concepts are thus the key to optimal protection of your system - both externally and internally.
Access is still allowed for all characteristics or value fields that are not defined as fields of the authorization object.