System Users
Reference User
This representation has been chosen to show the differences in the classification of user types, because, despite the Global setting for the distribution parameter of the licence data (in the transaction SCUM), the settings in the ZBV may differ from those of the subsidiary system. In addition, you can add the columns ID in the report: Contractual User Type and ID: Show the value in central, which contains the technical values for the user type. If users on the daughter systems are not relevant for the licence measurement, the value User is irrelevant for the licence measurement in the column Contractual User Type. This value occurs for the following users: - technical user - user is not present - user is not valid - user is of type reference user.
Since the maintenance effort would be too great if individual authorizations were entered in the user master record, authorizations can be combined into authorization profiles. Changes to access rights take effect for all users who have entered the profile in the master record.
Context-dependent authorizations
A careless handling of the permissions with sensitive employee data can go quite nicely in the pants. Prevent uncontrolled and extensive reporting access to your HCM data by properly using the P_ABAP authorization object. In many companies, the correct use of P_ABAP is not known. As a result, there are often false expressions that, in the worst case, allow uncontrolled reporting access to all data in the logical database PNPCE (or PNP). This way, you can again erase your access restrictions, which were previously painstakingly defined in a permission concept. Therefore, it is necessary to test the use of P_ABAP in individual cases and to use the existing limitations. In the following we describe the logic behind this authorization object and what it is important to avoid.
In addition, critical commands should be prohibited from the outset. Examples are EXEC SQL, which allows direct access to database tables bypassing certain security mechanisms, and CLIENT SPECIFIED, which allows access to data in other clients.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
This report has two functions: PFCG role consolidation - Identical roles are grouped into a single user base when validity periods overlap or connect directly to each other.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
A corresponding eligibility test should not be forgotten.