SAP S/4HANA® Launch Pack for Authorizations
Authorization concepts in SAP systems
In each filter, you can define for which clients and users events should be recorded. You can record the events depending on their audit class or categorisation, or you can select them directly via the detail setting. For the Client and User selection criteria, you can use generic values, i.e. you can select all clients or users that meet specific naming criteria (e.g., Client 10* or User SOS_*). For example, you can filter the loggers of multiple emergency users.
First, select the authorization object that you want to maintain. There can be multiple permissions for each authorization object. Then load the trace data by clicking the Evaluate Trace button. A new window will open again, where you can set the evaluation criteria for the trace and limit the filter for applications either to applications in the menu or to all applications. Once the trace has been evaluated, you will be presented with all checked permission values for the selected authorization object. With the Apply button, you can now take the values line by line, column by column, or field by field. In the left part of the window, you will see the permission values added to the suggestion values already visible. After confirming these entries, you will be returned to the detail view of your role. You can see here the additions to the permission values for your authorization object.
Object S_BTCH_ADM (batch administration authorization)
The role menu of the PFCG role now consists of folders that represent all logical links within a scope start page, and external services that represent the logical links and the area start pages themselves. This means that any external service listed in the Role Menu is eligible for a Area Start Page or Logical Link. If such an external service is removed from the role menu and the PFCG role is generated, the user of this PFCG role does not have permissions to view this external service (see screenshot next page). You will find duplicate, maybe even triple, entries from external services. These are mainly found in the folders of the homepage and under GENERIC_OP_LINKS. You can delete them without any concern, because an external service for a permission must appear only once in the Role menu. For a better overview, it is also useful to rename the external services or folders as they are shown in the SAP CRM Web Client.
In the SU53 you get the entry of the user that is stored there, and this may be old. So it is better to let the user himself display the authorization error via the menu. Maybe you create a small docu for all your users how to display the error and where to send it, so a "Cooking Recipe: How To...". In the SU53 error excerpt, the first thing that is displayed is the authorization that the user is missing. So this object has to be analyzed. In the further part of the error message, the permissions assigned to the user are displayed. This information can be used to classify the user with his role set, where he belongs etc. Finally, in our case 1, we now have the missing authorization and must now clarify whether the user should receive this authorization or not. In addition the specialist department must be contacted, which has to decide whether the user receives the permission! It can happen that the problem reported by the user is not an authorization problem at all. Then the last authorization error is displayed in the SU53 area, which is not the cause of the error at all. Therefore, it is always good to have a screen image of the actual error message sent to you as well. It is not uncommon for developers to issue an authorization error of the type "No authorization for..." from their programs, but they have not checked this with a standard authorization check at all, so that the error is not an actual authorization error.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
This report can be found in the User Information System (transaction SUIM).
When called, the application started via a transaction checks whether the authorization exists and whether the user is allowed to perform the selected operation.