Task & functionality of the SAP authorization concept
Architecture of authorization concepts
SAP delivers authorization objects for Records and Case Management, which you can use to control access to records, cases, documents, and incoming mail items for individual organizational units in your organizational plan in conjunction with corresponding Customizing settings. SAP delivers predefined roles that contain clearly defined authorizations for the respective task areas of the employees. Among other things, these roles also contain the authorization objects for Records Management and Case Management. You can use the roles as a template for your own roles and adapt them to your requirements.
An overview of the actual relevant information for your system landscape can be obtained from the application System recommendations in the Change Management section of the SAP Solution Manager (transaction SOLMAN_WORKCENTER or SM_WORKCENTER). This application will provide you with a recommendation for the SAP and non-SAP hints to be implemented for the evaluated systems.
You should then enable the latest version of the hash algorithms by setting the login/password_downwards_compatibility profile parameter to 0. This is required because SAP systems maintain backward compatibility by default. This means that, depending on your base release, either the new hash algorithms will not be used when storing passwords, or additional outdated hash values of passwords will be stored. You should then check to see if there are any old hash values for passwords in your system and delete them if necessary. Use the report CLEANUP_PASSWORD_HASH_VALUES.
Authorization tools in the SAP GRC Suite ensure that every company can design a highly automated compliance management system that fits exactly. The majority of German companies with an SAP system do not yet use authorization tools. However, the use of SAP authorization tools is a great advantage for many companies. The extent to which the use of authorization tools makes sense depends on the size of a company.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
It controls external access to RFC function blocks independently of users or roles and can be configured to suit your needs.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
In this context, two things should be clarified: Which SAP user is allowed to access which data? How do the roles differ (especially if they are similar)?