SAP Authorizations Rebuilding the authorization concept - SAP Stuff

Direkt zum Seiteninhalt
Rebuilding the authorization concept
Deleting table change logs
You can do this by using the P_ABAP authorization object to override the usual permission checks. This applies to all reports that access the logical database PNPCE (or PNP). In case of a P_ABAP permission, the usual checks for authorization objects, such as P_ORGIN or P_ORGINCON, will no longer take place or will be simplified. This also applies to structural permissions. Whether the permission checks are simplified or completely switched off is controlled by the COARS field of the object. To disable all checks, set the value COARS = 2. This value does not limit the data displayed in the legitimate report. If you want to allow advanced permissions for reporting, but you do not want them to be unrestricted, you must select COARS = 1. In this case, you will also designate the P_ORGIN (or P_ORGINCON, P_ORGXX and P_ORGXXCON) authorization object. However, you must be careful not to mark all fields of the objects, otherwise direct access is also possible. Therefore, always write two versions of the P_ORGIN authorization object, one with the functional permissions (permission levels, info types, and subtypes), and one with the organisational boundaries (personnel area, employee group, employee group, and organisation keys). In addition, you will of course need a P_ABAP for the relevant reports with the value COARS = 1.

As the rolls pass, the value ranges for the field in question are searched within a role. Automatic cleanup occurs by writing both value ranges together in all fields. Therefore, you should clean up these entries before you start and create two different roles if necessary. The PFCG_ORGFIELD_CREATE report provides a test run that allows you to identify all the affected roles. The Status column provides an overview of the status of the permission values. If the status is yellow, there are different value ranges for the field within the role; the role must therefore be adjusted.
Implementing the authorization concept in the FIORI interface
On the one hand, sensitive company data must not fall into the wrong hands, but on the other hand, they also form an important basis for decisions and strategic company directions. Avoid a scenario of accidentally accessible data or incomplete and thus unusable reports by implementing your SAP BW authorizations properly.

We recommend that you implement all safety instructions of priority very high (1) and high (2) directly. On the other hand, you can implement medium (3) and low (4) security advisories via support packages, which you should also include regularly. If you are unable to insert a support package at the moment, SAP will also provide you with the priority 3 and 4 security advisories. For the evaluation of the security advisories, you should define a monthly security patch process.

However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".

In this course, existing roles and profiles in authorization management (transaction PFCG) can be extended.

The website offers a lot of useful information about SAP authorizations.

However, you must also check that it has permissions.
SAP Stuff
Zurück zum Seiteninhalt