Organisational allocation
Advantages of authorization concepts
Access options and authorizations are defined and controlled in the SAP authorization concept. How secure business data is in SAP depends largely on the assignment of authorizations and access options for a company's users.
Set a specific acronym or character to indicate whether your role has critical accesses so that separate assignment or approval rules can be observed for such roles. Define here what"critical"means for your project. Do you only want to identify permissions that are critical to the operation of the SAP system, or business-critical processes? Also define the consistency that has a critical role to play in the assignment to the user.
Authorization concept
The first line defines that access to all files is forbidden unless other settings have been made for them in the other lines. The asterisk (*) is in the first place here and in this case for all files and paths. If the asterisk is in a different position, it is interpreted as part of the file name, which is not allowed in Microsoft Windows, for example. In our example table, setting the switches FS_NOREAD = X and FS_NOWRITE = X for all paths prohibits reading and writing. This makes the table a white list. This is preferable to a black list for security reasons. SPTH, on the other hand, becomes a Black List if you remove the first line with PATH = * in our example or if you do not set any of the switches FS_NOREAD, FS_NOWRITE or FS_BRGRU. The second line with PATH = /tmp allows read and write access for all files starting with /tmp, similar to a permission value /tmp*, as an exception to the access ban defined in the first line for all files and paths. This setting is not limited to subdirectories, but includes, for example, all files whose name starts with /tmp-xy. The third line with PATH = /tmp/myfiles defines a permission group with FS_BRGRU = FILE, triggering the subsequent permission check on the S_PATH object. The SAVEFLAG = X switch defines that these files will be included in a backup procedure; however, this is not relevant for the permission award.
When your selection is complete, just exit the image with the green button. You will now arrive at the Details Selector screen, where you can select the selection fields and the output fields (the List Field Selector and Selection Fields tabs) of your table combination. We select the authorization objects and values as selection and the role name, and the user as output fields. Done! Now the query can be started with the Run button. In the background, the system creates a programme that builds the join. As a result, a selection screen appears. Enter"S_TCODE"as object and"SCC4"as field value (we only have one field for this object). When you click Run, all users and the triggers are output to you.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
This missing functionality comes with SAP Note 1902038 and can only be recorded via the respective support packages for SAP NetWeaver Releases 7.31 and 7.40.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
Dialogue users are intended for use by natural persons who log in to the SAP system via SAP GUI (dialogue login).