SAP Authorizations User administration (transaction SU01) - SAP Basis

Direkt zum Seiteninhalt
User administration (transaction SU01)
Full verification of user group permissions when creating the user
The permissions on database objects show you the details of the user's permissions to access the object. In the following example, the MODELING role includes permission to use the _SYS_BI object with the EXECUTE, SELECT, INSERT, UPDATE, and DELETE privileges. In addition, a user assigned this role is not allowed to pass these privileges on to other users (Grantable to Others). Our role as an example also includes Analytical Privileges and Package Privileges, which are not discussed here.

Create a message to be displayed to the user when permissions checks fail. The tests in this User-Exit are relatively free. This allows you to read table entries, store data from the ABAP application's memory, or read data that is already there. However, you are limited by the interface parameters of the application. In our example, these are the BKPF and BSEG structures and the system variables. If the information from the interface parameters is not sufficient for the test, you can use your programming skills and knowledge about the interdependencies of substitution and validation in finance to find additional data. The following coding allows you to identify the selected offset document entries that you can find in the POSTAB table (with the RFOPS structure) in the SAPMF05A programme. This way you can find many additional data. It is important that the supporting programme processes the User-Exits.
Roles and permissions in SAP SuccessFactors often grow organically and become confusing
When scheduling a job, another user can be stored as the executing user. This means that the individual processing steps of the job are technically carried out by the stored user with his or her authorizations. This means that activities could be triggered that could not be executed with the user's own authorizations.

Regardless of whether you select the degree of simplification COARS = 1 or 2, you should not enter * or SAPDBPNP (programme name of logical database PNP) in the REPID field. With these values, you allow access to the logical databases SAPDBPNP and SAPDBPAP and thus to all contained root data.

With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.

If a valid user group has not been entered in the customising switch, the user group is nevertheless a mandatory field.

This prevents, for example, denial-of-service attacks, which first cause a password to be locked in order to block internal processes.
Zurück zum Seiteninhalt