SAP Authorizations - Overview HCM Authorization Concepts
Authorization concept
The panel menus also simplify the maintenance of permissions to the audit structures. You can select the audit structures or area menus you use in role editing and import them into the roles as menus. If you want to set up a constraint on AIS users to specific audit structures or protect individual audits from access, you can use the S_SAIS authorization object. This object controls access to the audit structures or the audit numbers of individual audits.
Are you using the result and market segment statements and need permission checks for combinations of characteristics and key figures not included in the standard? To do this, create specific authorization objects. You can define key figures and result objects (groups of characteristics) for the planning and information system in the result and market segment calculation (CO-PA). You may also want to control permissions by using these characteristics or key numbers. This cannot be reflected with the default authorization objects. Therefore, create authorization objects in the customising of the result invoice.
Create permissions for customising
The path with the associated permission group DEVL contains the local temporary files of the ABAP Frontend Editor of the ABAP development environment (transactions SE38, SE80, SE24, etc.). The two paths with the ADMN permission group show how logically related paths can be grouped into a S_PATH permission check. The two entries with the FILE permission group show how paths for Windows can be completed in systems with application servers of different operating systems. The core.sem and coreinfo entries are required to write run-time errors in the SNAP snapshot table. The dev_ and gw_ entries allow you to view files from the developer trace and Gateway Log in the ST11 transaction. If the suggestion in the first entry of the table is too restrictive, you can choose the alternative in the following table. This entry only forces a permission check on S_PATH and the ALL permission group; You should, however, only grant such permission very restrictively.
The general authorizations are quite normal authorization objects in SAP HCM, which regulates the access to PA/PD infotypes (tables PAnnnn / HRPnnnn), clusters for the own person or for other persons. Typical authorization objects are "P_PERNR", "P_ORGIN", "P_ORGXX", "PLOG" and "P_PLCX".
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
Two other very important settings are the activation of the security audit log and the table logging.
Setting validity on assigned roles also prevents the user from performing actions in the system, but does not generally prevent them from logging in.