SIVIS as a Service
Permissions and User Root Sets Evaluations
The test for the assignment of the SAP_ALL profile is carried out in the SOS differently than in the EWA: If a user is found, assigned to SAP_ALL, and you have not entered it in the corresponding whitelist, it will still be hidden in the subsequent permission checks. Identified users will be output either through a complete list or through examples of specific users. In both cases, you can download the full list in the SAP Solution Manager's ST14 transaction. You can use the Check ID to map user lists to the permission checks. However, you should note that these lists do not contain the evaluations of the whitelists.
Structural authorizations work with SAP HCM Organizational Management. They primarily define who can be seen, but not what can be seen, based on evaluation paths in the org tree. Therefore, structural authorizations should only be used together with general authorizations. The determination works via a so-called authorization profile. In this profile, the evaluation paths are used to define how to search on the org tree. Function modules can also be stored, which can be used to determine objects from Organizational Management using any criteria. This makes the structural authorizations very flexible.
All permission checks are issued in table form as an ALV list. You can sort or filter this list by column. Furthermore, all the new features of the transaction ST01, which we listed at the beginning of this tip, have been applied for evaluation. Double-clicking on a authorization object will direct you to the authorization object definition, and double-clicking on the transaction will direct you to the programme location where the permission check is performed. For more tips on how to use this trace, see Tip 32, "Maintain permission values using trace evaluations," and Tip 39, "Maintain suggestion values using trace evaluations.".
Suitable for this responsible task are, for example, department heads or SAP key users who are familiar with all data access options (cross-module, via report, directly to the raw table, etc.) as well as with the organizational and technical protection measures. By signing the data ownership concept, the responsibility should be acknowledged and taken as seriously and bindingly as, for example, the signature under the purchase contract of a house.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
You define your security requirements for the entire SAP system landscape; they concern, for example, the settings of the profile parameters, the handling of safety instructions or critical permissions that may only be assigned to emergency users.
But are they really necessary? Are these possibly even critical permissions? A review of the Permissions Concept can reveal that critical permissions are in your end-user roles.