Authorization concepts in SAP systems
Prevent excessive permissions on HR reporting
After you have completed the development of the User-Exit, you still need to transport your validation. To do this, navigate back and highlight the validation you have created. You can now include the objects in a transport order using the Validation > Transport menu path. Finally, you need to activate your validation via the OB28 transaction. Please note that this is only possible for one validation (with several steps if necessary) per booking circle and time. Now your validation will be carried out with additional checks during the document booking via an interface.
We recommend you to transport all these changes. Basically, you should always make changes to organisation levels on your development system and then transport them. If you use multiple clients, you should note that the organisation levels and the proposed permissions are client-independent data, whereas the roles and profiles in question are client-dependent. If you are using more than one client, you must also run the PFCG_ORGFIELD_ROLES report in the other mandates to determine the roles that the new organisation level will contain. With the help of this report, you must then rearrange all the roles listed in the Status column: Orgebene in Role are indicated in red. You can select these roles and then use the Reduce in Roles button to adjust them to the new organisation level.
Managed Services
Regardless of whether you select the degree of simplification COARS = 1 or 2, you should not enter * or SAPDBPNP (programme name of logical database PNP) in the REPID field. With these values, you allow access to the logical databases SAPDBPNP and SAPDBPAP and thus to all contained root data.
With the SAP NetWeaver 7.03 and 7.30 releases, Web Dynpro ABAP applications (as well as other Web Dynpro ABAP functions, see SAP Note 1413011) have been tested for permission to launch such applications. The authorization object that controls this startup permission is S_START. This authorization object is used in the same way as the S_TCODE authorization object.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
The authorizations are combined in an authorization profile that belongs to a role.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
Users' favourite lists provide valuable information about the transactions they use.