Coordinate authorisation management in customer-owned programmes
What are SAP authorizations?
The default authorization roles of the new SAP system for consolidation and planning, SAP Group Reporting, are shown in the following graphic. It does not matter whether the system is accessed via the browser (Fiori Launchpad) or via local access (SAP GUI). The authorization roles shown in the graphic merely indicate the technical specifications preset by SAP. However, these can be used as a starting point and adapted accordingly after a copy has been created.
In general, we recommend you to use strong encryption mechanisms and to switch most users to an SSO login. You should then delete the hash values of the user passwords as described above. For release-dependent information on SNC client encryption, see SAP Note 1643878.
Centrally review failed authorisation checks in transaction SU53
You can view the contents of the checked permission fields by double-clicking on the respective variables. The Variables 1 tab displays the variables with the respective values used for this eligibility check. These values correspond to the values that you also see in the System Trace for Permissions. If a permission check ends with SY-SUBRC = 0 when no appropriate permissions are available, verify that the check is turned off locally via the SU24 or globally through the SU25 or AUTH_SWITCH_OBJECTS transactions.
User master record - Used to log on to the SAP system and grants restricted access to SAP system functions and objects via the authorization profiles specified in the role. The user master record contains all information about the corresponding user, including authorizations. Changes only take effect the next time the user logs on to the system. Users already logged on at the time of the change are not affected by the changes.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
We would like to give you some examples of critical permissions in this tip.
This makes it easier to summarise permissions because it is difficult to keep track of the assigned permissions.