Task & functionality of the SAP authorization concept
CONCLUSION
All permission checks are issued in table form as an ALV list. You can sort or filter this list by column. Furthermore, all the new features of the transaction ST01, which we listed at the beginning of this tip, have been applied for evaluation. Double-clicking on a authorization object will direct you to the authorization object definition, and double-clicking on the transaction will direct you to the programme location where the permission check is performed. For more tips on how to use this trace, see Tip 32, "Maintain permission values using trace evaluations," and Tip 39, "Maintain suggestion values using trace evaluations.".
Thus, after evaluation, you can select all SAP hints with the status to implement and load directly into the Note Assistant (transaction SNOTE) of the connected system. This is only possible for a development system and if the SAP Solution Manager can use an appropriate RFC connection to the connected system. You should also consider the security advisories that apply to applications that are installed on your system but that you do not use productively. These vulnerabilities can also be used for an attack.
Dissatisfaction and unclear needs in the process
In principle, a technical 4-eyes principle must be implemented within the complete development or customizing and transport process. Without additional tools, this can only be achieved in the SAP standard by assigning appropriate authorizations within the transport landscape. Depending on the strategies used, only certain transport steps within the development system should be assigned to users. When using the SAP Solution Manager ("ChaRM") for transport control, for example, only the authorizations for releasing transport tasks should normally be assigned here. The complete processing of a transport in the development system consists of four steps: Creating and releasing a transport request (the actual transport container), creating and releasing a transport task (the authorization for individual users to attach objects to the respective transport request).
Other project settings should be defined on the Scope, Project Views, Project Employees, Status Values, Keywords, Document Types, Transport Orders, and Cross Reference tabs. After all entries have been made, you must secure the project. Do not forget to generate the project. The SPRO transaction allows you to edit the newly created customising project. The first call does not display the newly created project. To view it, click the Record button in the Work Inventory ( ), select your project, and then confirm your selection. After you have successfully created, generated, or edited the project, you will perform the PFCG transaction to create a customising role for the project. Select a name for the role, and then click Create Single Role. Now open the Menu tab and follow the path: Tools > Customising Permissions > Add > Insert Customising Activities. Then choose between IMG Project and View of an IMG Project. All transaction codes are added from the IMG project to the Role menu. Note that this can be a very large number of transactions and can therefore take longer. You can then use the Permissions tab to express the authorization objects as usual. Back up and generate the role.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
Remove improperly defined SAP Orgebene ($CLASS): This function deletes the $CLASS organisational level that was incorrectly delivered with the GRCPlug-in (Governance, Risk and Compliance).
However, a missing concept can lead to errors in the system.