SAP Authorizations Controlling permissions for the SAP NetWeaver Business Client - SAP Stuff

Direkt zum Seiteninhalt
Controlling permissions for the SAP NetWeaver Business Client
Make sense in maintaining proposal values
How to maintain security policies and map them to your users is described in Tip 5, "Defining User Security Policy." You need a separate security policy for administrators to implement this tip, which is often useful for other reasons. In this security policy, you then set the policy attribute SERVER_LOGON_PRIVILEGE to 1. For example, you can also include the DISABLE_PASSWORD_LOGON policy attribute setting, because administrators often want to be able to log in with a password on the system.

You can automate the translation of the texts by using the LSMW transaction. This transaction is intended for migration tasks, but is also very well suited to allow a particular transaction to be repeated and automated. You record the execution of a transaction and get the variables of the text blocks (technical role name, role description, etc.). You can add values from an import file based on Microsoft Excel to each flow loop. For example, the Excel file contains a table with the columns Technical role name, description German, description English. The LSMW script works through the import file line by line and thus role by role.
Check the SAP authorization concept
As in other systems, user maintenance and role/profile assignment must be restricted to the group of user administrators. In contrast to the previous systems, however, roles and profiles are maintained here, so that appropriate rights must be assigned to the role/profile administrators.

However, the authorization trace is not active by default, but must be explicitly activated via the profile parameter "auth/authorization_trace". In transaction RZ11 you can easily and quickly check if the parameter is already set. The profile parameter is set in transaction RZ10. By default, the profile parameter is active in SAP systems (profile parameter transport/systemtype = SAP) and inactive in customer systems (profile parameter transport/systemtype = CUSTOMER).

However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".

A text file is now created under the appropriate path, containing the desired format with the input parameters.

You can also find some useful tips from practice on the subject of SAP authorizations on the page

Administrative activities are used to control system behavior and make various security-relevant settings.
SAP Stuff
Zurück zum Seiteninhalt