SAP Authorizations Concept for in-house developments - SAP Corner

Direkt zum Seiteninhalt
Concept for in-house developments
Starting reports
Structural authorizations work with SAP HCM Organizational Management. They primarily define who can be seen, but not what can be seen, based on evaluation paths in the org tree. Therefore, structural authorizations should only be used together with general authorizations. The determination works via a so-called authorization profile. In this profile, the evaluation paths are used to define how to search on the org tree. Function modules can also be stored, which can be used to determine objects from Organizational Management using any criteria. This makes the structural authorizations very flexible.

Login with user and password of another application (such as an AD or portal) In this case, the Web application must be able to obtain a unique SAP user ID to the login data. You should choose an application where the user does not easily forget his password.
Service User
Service users are used for multi-person anonymous access, such as Web services. This type of user is also dialogical, i.e. it can log on to the SAP system via SAP GUI. With a service user, multiple logins are always possible, and password modification rules do not work. This behaviour has changed with the introduction of security policy. Because previously all password rules for the service user were invalid, and now the rules for the contents of the passwords also apply to the service user (see Tip 5, "Defining User Security Policy" for details on security policy). The password of a service user always has the status Productive and can only be changed by the user administrator.

The first step in the cleanup process is therefore to find out whether the current authorization concept is sufficient and a cleanup is the best way forward, or whether a rebuild of the authorization concept is necessary. The focus should be on saving the current authorization concept, since rebuilding it takes more time than cleaning it up.

However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".

For example, by activating the Default Page setting, the selected transaction (in our example MM03) is called first when the parent folder (in our example of the Material Stems folder) is retrieved.

The website www.sap-corner.de offers a lot of useful information about SAP authorizations.


In addition, you cannot elevate the ACTVT field to the organisation level.
SAP Corner
Zurück zum Seiteninhalt