Edit Old Stand
Further training in the area of authorization management
Add SAP Note 1433352 to your system. This note ships with the RSAUDIT_SYSTEM_STATUS report. This report documents the current status of the Client and System Modification Settings in an overview, which you can also print out for evaluation if required. The advantage of this report is that pure display permissions are necessary to execute it.
After you have determined the data for the website, you must now generate the initial password and send it by e-mail and unlock the user if necessary. There are also different solutions - we describe a possible course of action. You can generate a password using the GENERATE_PWD import parameter of the BAPI BAPI_USER_CHANGE. The generated password is then set as the initial password and must be changed at the next login by the user. You must also set the PASSWORDX import parameter to display a password change. The generated password is returned using the export parameter GENERATED_PASSWORD. This is required if you want to call the BAPI BAPI_USER_CHANGE from a central system (e.g. from the ZBV) and send the relevant e-mail from that system. You should never save this password, but include it directly in your application in an email. Subsequently, you send this e-mail to the user whose e-mail address you can determine either directly in the SAP system (parameter ADDSMTP of BAPI_USER_GET_DETAIL) or within the scope of your web application (e.g. from the AD). Even if you find the email address in the AD, we advise you not to send the email from there. To avoid the password being unnecessarily transferred, it is better to initiate the despatch within your central SAPS system. In addition, we strongly advise you to send the emails encrypted with the initial passwords. To do this, the implementation of your self-service must set the encryption flag when creating the email. We describe details about the encryption of emails and an alternative sending of the initial password directly from the affected SAP system in Tip 98, "Encrypt emails".
User Management
The organisation of a company is represented in the SAP system. Keep an overview here to identify dependencies and control access permissions in an organisation-specific way. In customising, different organisational values are stored for the individual ERP components to enable an organisational mapping of the root and movement data. This mapping is required, among other things, to control access permissions or constraints. We will show you how you can get an overview of the well-maintained organisational units and see dependencies between the different organisational values.
Our example role MODELING makes it clear that it is possible to assign different types of privilege to a role. The SAP HANA Studio shows you in the administration interface which user (the so-called grantor) has assigned the respective privilege to this role (granted). By filtering and sorting, you can optimise the appearance of the role content. Depending on the type of privilege, you will be presented with the appropriate details by selecting an entry.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
You can use authorization objects to restrict access to tables or their content through transactions, such as SE16 or SM30.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
The permissions on database objects show you the details of the user's permissions to access the object.