SAP Authorizations Emergency user concept - SAP Corner

Direkt zum Seiteninhalt
Emergency user concept
Which challenges cannot be solved with authorization tools alone?
If you now want to assign PFCG roles indirectly to users via the organisation management, you have to use evaluation methods. Evaluation paths define a chain of relationships between objects within a hierarchy. For example, they define how an organisational unit or a post can be assigned to another organisational unit. This relationship is set to the User ID. However, if the business partner has also been maintained in organisational management, there is no standard evaluation path for this case and the user assigned to the role is not found. However, since in SAP CRM the user IDs are not directly assigned to a post, but via the business partner, you have to make adjustments to the evaluation paths before you can assign the roles indirectly.

Insert SAP Notes 1656965 and 1793961 into your system. With these hints, the report RSUSR_LOCK_USERS is delivered or extended. This report supports automatic selection and blocking of inactive users. To do this, you have to select the criteria in the selection screen of the RSUSR_LOCK_USERS report, according to which you want to lock or invalidate users. You can determine the choice of users by using various criteria. It is recommended to take into account the period since the last login in the Days since last login field and the password status in the Days since password change field. You have the option to check the result of the selection and view the users found. To do this, select the Test of Selection action in the Select Action pane. You can also choose between the User Lock-outs (Local Lock-outs) and User Unlock (Local Lock-outs) actions in this area. You can set the end of a user's validity by clicking the corresponding options for "today" or "yesterday". Note that you can only set the validity for current users.
Advantages of authorization concepts
SAP customers do not maintain suggested values in this transaction. However, there are cases where data in the SU22 transaction is maintained in a customer environment. If TADIR services or external services are developed by the customer or partner, these services are not available by default in the SU22 transaction or the SU24 transaction. For these services, the header data must first be written to the USOBHASH table, which serves as the basis for maintaining the services. These entries in the USOBHASH table are generated automatically when running TADIR services. Read Tip 41, "Add external services from SAP CRM to the proposal values", for dealing with external services. Once the data in this table is available, you have the option to maintain the proposed values.

With the introduction of security policy, it is now possible to define your own security policy for System or Service users. This way you can ensure that backward-compatible passwords are still used for these users. This eliminates the reason that password rules were not valid for System/Service type users; Therefore, the rules for the content of passwords now apply to users of these types. Password change rules are still not valid for System or Service type users. If you are using security policy in your system, you can use the RSUSR_SECPOL_USAGE report to get an overview of how security policy is assigned to users. This report can be found in the User Information System (transaction SUIM). In addition, the user information system reports have added selected security policies to the user selection. This change was provided through a support package; For details, see SAP Note 1611173.

Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.

At this point, however, we would like to point out that you may not evaluate the favourites without prior consultation with the users, because the stored favourites are user-related and therefore personal data.

The website www.sap-corner.de offers a lot of useful information about SAP authorizations.


Subsequently, fill in the fields of transaction SU01 with the data from the personnel master record.
SAP Corner
Zurück zum Seiteninhalt