Even if key users (department users/application support) do not have to develop their own authorization objects and cooperation with SAP Basis is always advantageous, there are often technical questions such as "Which users have authorization to evaluate a specific cost center or internal order?
Query Data from Active Directory
As part of the SAP Access Control solution, the Business Role Management component serves the central role management. In addition to other useful functions, it also offers the automation of mass maintenance of role withdrawals. To do this, you must first place the organisational matrix in the customising (transaction SPRO), i.e. you enter the values or value ranges in the Organisation Level Mapping details area for the different organisation fields. At this point, however, you do not specify which reference roles should be derived for these organisational values.
As with an SAP_NEW role, it is possible to generate an SAP_APP role. As with the SAP_APP profile, all permissions are included here, except the base permissions and the HCM permissions. The ability to create this role with the report REGENERATE_SAP_APP exists after inserting the SAP note 1703299. This report generates a role that is fully usable for all applications. However, we recommend using this role only for development and test systems.
Authorization concepts in SAP systems
Every company knows the situation, every year again the auditor announces himself to perform the annual audit and to certify the balance sheet at the end of the audit. In the first part on this topic, the focus was on the relevant processes and documentation. In this part, the concentration is on a deeper level, namely directly in the SAP® system. The specifications for this should already be written down in the SAP® authorization concept.
Permissions profiles are transported in the standard (since release 4.6C) with the roles. If you do not want to do this, you have to stop the data export in the source system by the control entry PROFILE_TRANSPORT = NO. The profiles must then be created by mass generation before the user logs are matched in the target system. This can be done via transaction SUPC.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
Therefore, an SAP_NEW profile is always bound to a specific base release.
This report checks at user or single-role level which tables have permissions based on the S_TABU_DIS or S_TABU_NAM authorization objects.