SU53 Display authorization data
SAP Basis consists of three layers: a database layer, an application layer and a presentation layer. The database layer manages all the data of the SAP system in a database located on the database server and administered by a database management system (DBMS). The database supplies the connected SAP applications with the required data, data tables or system control tables. It also receives and stores new information generated by the user.
Therefore, there can also be critical permissions, profiles, and roles that do not fit in the naming scheme defined by SAP. Manual identification of critical SAP permissions is difficult overall. However, tools are available that automatically check for critical permissions. In this case, the critical SAP permissions are usually predefined by special verification software. If the critical permissions, profiles, and roles are identified, they should be adjusted according to the permission planning. The system will then be checked to see if the desired system behaviour has been achieved or if malfunctions occur. This adjustment process may be complex in the event of major changes and should not be carried out on the production system.
Provision of Web Dynpro so that all users have access to the Web Dynpro applications via an Internet browser
If you now want to change the permission data, you will be asked for values for the appropriate organisation levels. First enter a tilde (~) and define the value later in the derived roles. Maintain the permissions you want and then generate the master role. Adding the organisational level to the master role Step 2: Define derived roles Create derived roles Assign the master role After you have created the master role, it is the derived roles that are in the process. To do this, re-enter a suitable role name via the PFCG. In our example, it is called "findepartment_d01". For a better overview, it is usually useful to name and number the derivatives after the master roles. You can also define the roles according to a different scheme. After you have created the role, you must then enter the master role in the Derive from Role field in the Description tab. Confirm the Auto Enquiries. Customise the Organisation Levels Now go to the "Menu" tab. There you can see that the data from the master role was automatically copied. Since the role has not yet been generated, the Permissions tab is currently highlighted in red. Therefore, call "Change Permissions Data". The first call should automatically open a dialogue to maintain the organisational levels, as they are still empty. If this is not the case, or if you would like to adjust the organisational levels again in a later case, you can also access them via the button Ordende (see screenshot). If everything worked well, you can now see that the permissions were also automatically taken from the master role. If you generate the role, the permission tab will also appear green. Congratulations, you have successfully created a derived role! Repeat step 2 with the additional derivatives to adjust the organisation levels accordingly.
In order to reduce the variety of different system variations and the related variety of routine tasks, it is necessary to reduce the number of customer specifications. In particular, the implementation, set-up and configuration of the systems and security concepts must be harmonised or returned to the SAP standard. To this end, it is necessary to establish, in cooperation with the relevant IT departments, a standard for, for example, operating systems and databases within the limits set by the product.
For administrators, a useful product - "Shortcut for SAP Systems" - is available in the SAP basis area.
The USR02 table provides a first entry point.
Understanding the structure and functioning of the system is especially important for IT administration. It is not for nothing that "SAP Basis Administrator" is a separate professional field. On the page www.sap-corner.de you will find useful information on this topic.
OBJECTS_LOCKED_IN_REQUESTS: Objects found in unreleased jobs.