Implementing the authorization concept in the FIORI interface
Analyzing the quality of the authorization concept - Part 1
With the transaction SUIM you can search under roles, roles with different search criteria. The variant "Roles by complex selection criteria" covers all possible selection criteria. However, you can also search only for a specific selection criterion (e.g. only for transactions, only for authorization objects...).
Finally, you can extend your implementation of the BAdIs BADI_IDENTITY_SU01_CREATE and pre-enter additional fields of the transaction SU01. To do this, complete the appropriate SET_* methods of the IF_IDENTITY interface. For example, it is possible to assign parameters that should be maintained for all users, assign a company, or assign an SNC name.
Permissions with Maintenance Status Changed or Manual
SAP*: The SAP* user is part of the SAP kernel, and since it is hard-coded in the SAP system, it does not require a user master set. If there is no user master set for SAP*, anyone can log on to the SAP system after rebooting with this user, as the default password will then apply. The user thus has access to all functions, since Authority Checks in this case do not take effect. You can prevent this behaviour by setting the login/no_automatic_user_sapstar profile parameter to 1. If you want to copy clients, you have to set this parameter to 0 again before you do so, because the user SAP* is required for this. Safeguard measures: Despite the parameter setting, the SAP user should have a user master set in all clients. However, you should remove all profiles and lock the user. In addition, change the password, assign the user to the SUPER user group, and log it with the Security Audit Log.
Your compliance requirements specify that background jobs that are used should be maintained with permission proposals? We'll show you how to do that. Particularly in the banking environment, there are very strict guidelines for the permissions of background jobs used for monthly and quarterly financial statements, etc. Only selected users or dedicated system users may have these permissions. In order to clearly distinguish these permissions from the end-user permissions, it is useful to explicitly maintain the permissions for specific background jobs with suggestion values, so that these values can be used repeatedly to maintain permissions and are therefore transparent. You may have noticed that in the transaction SU24 you have no way to maintain background job credentials. So what's the best way to do that?
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
In such extensions or your own programmes, you must implement permission checks and may also create your own authorization objects.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
In the FIORI environment, there are basically two different types of access via a tile.