Authorization concepts - advantages and architecture
Note the effect of user types on password rules
In the event that such conflicts nevertheless arise, regular checks should be established as part of an internal control system. Furthermore, the authorization concept includes content such as the integration of the data owner, security-relevant system settings, specifications for maintaining authorization default values (transaction SU24) and documentation requirements.
Set a specific acronym or character to indicate whether your role has critical accesses so that separate assignment or approval rules can be observed for such roles. Define here what"critical"means for your project. Do you only want to identify permissions that are critical to the operation of the SAP system, or business-critical processes? Also define the consistency that has a critical role to play in the assignment to the user.
THE "TOP SEVEN"
Administrative activities are used to control system behavior and make various security-relevant settings. To minimize the risk of a system failure or the creation of a security vulnerability, administrative rights should only be granted to employees in the basic administration. The following list may be supplemented by suggestions from the company's own administration. It contains only the most important authorization objects for each subject area.
If you do not want to use reference users, you can hide the Reference User field for additional permissions via a standard variant for the transaction SU01. The necessary steps are described in SAP Note 330067.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
A warning appears informing you that the parameter value would be reset when the application server is launched.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
For these scenarios, there are several ways to determine which systems and clients to display to the user in the self-service selection.