Using suggestion values and how to upgrade
Efficient SAP rollout through central, tool-supported management
In this article, I show you with which transaction you can easily and quickly run the authorization trace in SAP ERP or SAP S/4HANA. The displayed result provides a good overview of the involved authorizations. In this course, existing roles and profiles in authorization management (transaction PFCG) can be extended. In addition, the authorization trace is useful for maintaining authorization default values (transactions SU22 and SU24).
If you no longer need old audit results, you can archive or delete them with the transaction SAIS via the button (Administration of the Audit Environment). The audit results shall be selected on the basis of the audit structures, the test numbers or the entry date (see figure next page).
Limitations of authorization tools
Here, too, it is possible to create security and an overview with the help of tools for HR authorizations. The tool creates a clear overview of which data certain users are allowed to access in the SAP system. Based on this, it is possible to develop automatic checks that run in the background and regularly monitor whether changes to authorizations have created critical gaps in HR.
When you select the row with the parameter transaction you created and click on the Suggest values button, the S_TABU_NAM authorization object is automatically created with the correct suggestion values, i.e. the table name in the transaction SU24. Check these suggestion values by clicking Yes in the S_TABU_NAM column. You will now end up in a view from the transaction SU24 and can check in the tables authorization objects and Permission Proposition Values (for all authorization objects) which changes to the object S_TABU_NAM have been made automatically. For more information and implementation guidance, use SAP Note 1500054. The SAP Note also provides the SUSR_TABLES_WITH_AUTH analysis report, which specifies table permissions for users or individual roles. This report checks at user or single-role level which tables have permissions based on the S_TABU_DIS or S_TABU_NAM authorization objects. The report does not check whether the user has the transaction startup permissions that are also necessary, such as S_TCODE. For example, if you check what table permissions a particular user has based on the S_TABU_DIS authorization object, you will receive information about the table names, the associated table permission group, and the eligible activities. Granting permissions to access tables directly is flexible and useful, and is not recommended unless the mechanism is hammered out by giving the user general table access through generic maintenance tools.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
If you want to understand how to run a permission check in your code, you can use the debugger to move through the permission check step by step.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
In our example, you should grant permission for the S_PATH object with the value FILE in the FS_BRGRU field to access files with the path /tmp/myfiles*. Note that the authorization object only distinguishes two types of access.