SAP Authorizations Use Central User Management change documents - SAP Corner

Direkt zum Seiteninhalt
Use Central User Management change documents
Preventing sprawl with the workload monitor
Do you have considerable care effort due to additional roles that you cannot deduce? Create a new organisational level to solve your problems. In the SAP system, you can create derived roles for specific fields in authorization objects. This is possible only if these fields are organisation levels. Unfortunately, not all fields that you need as an organisation level are laid down in the standard as such, such as the cost centre. It may also be that you only use one sales organisation in your company and would therefore like to define the sales office. So there are several reasons why you want to define a field as an organisational level. We will explain how this works and what you need to consider.

Confidential information from your SAP system can also be sent by email. Make sure that this data is only transmitted encrypted. Your SAP system contains a lot of data, which is often confidential. This can be business-critical or personal data or even passwords. It happens again and again that such data must also be sent by e-mail. Therefore, make sure that this information is always encrypted and signed if necessary. Encryption is intended to ensure the confidentiality of the data, i.e. that only the recipient of the e-mail should be able to read it. The digital signature serves the integrity of the data; the sender of an e-mail can be verified. We present the configuration steps required for encryption and provide examples of how to encrypt the sending of initial passwords. There are two ways to encrypt and sign emails in the SAP system: via SAPconnect, via a secure third-party email proxy.
Bypass Excel-based Permissions Traps
The case that the user buffer is not up to date is very rare. The auth/new_buffering profile parameter sets the value 4 to immediately update the permissions, i.e. changes to the user root or roles or profiles, and write them to the USRBF2 database table without requiring a new login. This value is set by default. The fact that the buffer is not up-to-date is recognised by the fact that existing permissions that are not in the buffer are marked in the transaction SU56 with the note "In the root data but not in the user buffer".

After these preparations, we now proceed to the expression of the User-Exit in the validation that has just been created. To do this, you copy the User-Exit definition in the created custom programme, specify a name for the User-Exit definition (e.g. UGALI) and create a new text element.

For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.

A new window will open again, where you can set the evaluation criteria for the trace and limit the filter for applications either to applications in the menu or to all applications.

If you want to know more about SAP authorizations, visit the website

Removing role assignments manually in user master kits is very tedious.
SAP Corner
Zurück zum Seiteninhalt