SAP Authorizations Application Permissions - SAP Basis

Direkt zum Seiteninhalt
Application Permissions
Copy values from the Clipboard to the transaction's PFCG permission fields
In general, you should note that not all relevant change documents of a system are present in the user and permission management. As a rule, authorisation administration takes place in the development system; Therefore, the relevant proof of amendment of the authorisation management is produced in the development systems. By contrast, you will find the relevant user administration change documents in the production systems; Therefore, you should note that when importing roles and profiles in the production systems, no change documents are written. Only transport logs are generated that indicate that changes have been made to the objects. For this reason, the supporting documents of the development systems' authorisation management are relevant for revision and should be secured accordingly.

However, there is also the situation that eligibility fields are collected at organisational levels. If these permission fields have already been filled with values in the PFCG roles, you must refill these organisation levels after categorising the permission fields as organisation levels. The PFCG_ORGFIELD_ROLES report helps you to do this, which matches all the roles with the organisation level fields, i.e. with the permission fields maintained in the organisation level fields.
Copy the user from the Clipboard to the Transaction SU10 selection
For an overview of the active values of your security policy, click the Effective button. Note that not only the attributes you have changed are active, but also the suggestion values you have not changed.

It is important that after the AUTHORITY-CHECK OBJECT command is called, the return code in SY-SUBRC is checked. This must be set to 0; only then a jump is allowed.

If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.

Sometimes, the role content was misaligned and the suggestion values were not neatly maintained, so at some point the permission administrators couldn't figure out what to do.

A nice example is permission concepts that summarise all organisational levels in value roles or organisational roles.
Zurück zum Seiteninhalt