SAP Authorizations Limitations of authorization tools - SAP Basis

Direkt zum Seiteninhalt
Limitations of authorization tools
Tax reporting: The tax reporting system in SAP is based on the accounting area. The Profit Centre is not intended as a reporting unit here.

Define explicit code-level permission checks whenever you start transactions from ABAP programmes or access critical functions or data. This is the easiest and most effective defence to protect your business applications from misuse, because programming-level permission checks can ensure two things: Incomplete or incorrect validation of the executed transaction start permissions will result in compliance violations. Complex permission checks can also be performed adequately for the parameterized use of CALL TRANSACTION.
You should then enable the latest version of the hash algorithms by setting the login/password_downwards_compatibility profile parameter to 0. This is required because SAP systems maintain backward compatibility by default. This means that, depending on your base release, either the new hash algorithms will not be used when storing passwords, or additional outdated hash values of passwords will be stored. You should then check to see if there are any old hash values for passwords in your system and delete them if necessary. Use the report CLEANUP_PASSWORD_HASH_VALUES.

The high manual maintenance effort of derived roles during organisational changes bothers you? Use the variants presented in this tip for mass maintenance of role derivations. Especially in large companies, it often happens that a worldwide, integrated ERP system is used, for example, for accounting, distribution or purchasing. You will then have to limit access to the various departments, for example to the appropriate booking groups, sales organisations or purchasing organisations. In the permission environment, you can work with reference roles and role derivations in such cases. This reduces your administrative overhead for maintaining functional permissions and reduces maintenance work for role derivations to fit the so-called organisational fields. However, maintaining the organisational fields can mean enormous manual work for you, as the number of role derivations can become very large. For example, if your company has 100 sales organisations and 20 sales roles, you already have 2,000 role outlets. Here we present possible approaches to reduce this manual effort.

However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".

Only a selection of the characteristics defined for the result area - and for the calculation of the result account also the value fields - is possible.

As soon as a Database User is deleted, all (!) database objects created by this Database User are also deleted.
Zurück zum Seiteninhalt