Permission implementation
Implementing the authorization concept in the FIORI interface
You can send a signed e-mail to the system you want to announce the certificate to. For example, this is a useful alternative when emailing addresses outside your organisation. A prerequisite for this solution is that a signature certificate exists for your SAP system, in whose certificate list the certificate authority certificate - or certificates - of your users have been imported.
Consulting firms adjust the roles and authorizations in retrospect. This usually means "making the best of it" and making ad hoc adjustments - in other words, not fixing the root cause and cleaning up from scratch. Companies should therefore ask themselves: how can this be avoided? What requirements must a DSGVO-compliant authorization concept fulfill? How can we remain meaningful regarding the authorizations of specific individuals in the system and the purpose of the authorizations?
Solution approaches for efficient authorizations
Not all users should be able to log on to the application server during your maintenance? Use the security policy and a new profile parameter. When you are performing maintenance work on your SAP system, it is always necessary to prevent users from logging into the application server. This often excludes a small group of administrators who are still allowed to log on to the system. Until now, users had to be locked and the group of administrators excluded from this lock. This is now easier by using the security policy in combination with the login/server_logon_restriction profile parameter.
You can use your own authorization objects to develop permission checks to authorise your custom applications or extend default permissions. So far, the maintenance of the authorization objects has been very unmanageable. Authorization objects can be displayed and recreated in the transaction SU21. Creating authorization objects over this transaction has not been very user-friendly. If the input was not done correctly, the dialogue was sometimes not transparent and confusing for the user. The same was true for storing a authorization object. Several pop-up windows indicate further care activities. Another problem is that the proof of use of the authorization object is limited to finding implementations of the authorization object. However, authorization objects are also used in other places, such as suggestion value maintenance and permission maintenance. Another problem is the use of namespaces. For SAPartner who want to maintain their permission checks in their namespaces, the classic name rooms, starting with J, are used up.
Authorizations can also be assigned via "Shortcut for SAP systems".
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
The transaction code must be valid (i.e. entered in the TSTC table) and must not be locked by the system administrator (in the SM01 transaction).
Last but not least, a well-managed suggestion value maintenance helps you with upgrade work on suggestion values and PFCG roles.