Translating texts into permission roles
Authorization concepts - advantages and architecture
Many companies are currently converting their current SAP systems from an ERP state to an SAP S/4HANA system. Through this conversion, many technical and also organizational components come upon the respective companies. The time factor for determining, organizing and implementing the necessary components should not be underestimated. The area of security is often neglected in thought, but can lead to major problems and possibly image-related damage - and resulting financial losses - in retrospect. For this reason, the implementation of a comprehensive authorization concept should be considered as early as possible in the project phase, as several components are intertwined here.
Compiling and identifying external services in the role menu of CRM business roles is tricky. We show you how to bring order to external services. In SAP Customer Relationship Management (SAP CRM), the role concept is based not only on PFCG roles, but also on CRM business roles. These roles are created in customising and enable the presentation of CRM applications in the SAP CRM Web Client. In order for a user to work in SAP CRM, he needs both CRM business roles that define the user interface and the respective PFCG roles that entitle him to work in the applications. The CRMD_UI_ROLE_PREPARE report identifies and lists all external services defined in the customising of the CRM business role. These are displayed in the role menu of the PFCG role. You will notice, however, that the displayed services represent only a small part of the external services in the role menu.
Structural authorizations
The SAP NetWeaver Application Server ABAP 7.31 changed the way the transaction SU25 works, especially from step 2a to the automatic suggestion value matching with SAP values. Now, this compares which records have been updated using time stamps. This makes it possible to run Step 2a separately for software components installed afterwards. Another advantage is that the objects to be edited can be better identified due to the time stamp. Before SAP NetWeaver 7.31, the applications to be matched for step 2a have been registered with their base release versions, which you can see in the USOB_MOD or TCODE_MOD tables.
If your users are allowed to share their own background jobs, you need the JOBACTION = RELE permission to the S_BTCH_JOB object. In this case, you can start all jobs at the desired time. In many cases, background jobs are used for the professional or technical operation of applications; Therefore, we recommend that you schedule these background jobs under a System-Type technical user (see also Tip 6, "Note the impact of user types on password rules"). The advantage of this is that the permissions can be controlled more accurately and you do not run the risk of a job being lost if the user under whom it was scheduled to leave your company once. You can realise the association with a system user by giving the user who plans the job permission for the S_BTCH_NAM object. In the BTCUNAME field, the name of the step user, i.e. the user under whom the job should run, such as MUSTERMANN, is entered.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
If no security policy has been assigned to the user, the system will consider the password rules in the profile parameters and in the customising table PRNG_CUST.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
It also establishes the associated profit determination for external and internal purposes.