SAP Authorizations Customise evaluation paths in SAP CRM for indirect role mapping - SAP Basis

Direkt zum Seiteninhalt
Customise evaluation paths in SAP CRM for indirect role mapping
Copy values from the Clipboard to the transaction's PFCG permission fields
You can do this by using the P_ABAP authorization object to override the usual permission checks. This applies to all reports that access the logical database PNPCE (or PNP). In case of a P_ABAP permission, the usual checks for authorization objects, such as P_ORGIN or P_ORGINCON, will no longer take place or will be simplified. This also applies to structural permissions. Whether the permission checks are simplified or completely switched off is controlled by the COARS field of the object. To disable all checks, set the value COARS = 2. This value does not limit the data displayed in the legitimate report. If you want to allow advanced permissions for reporting, but you do not want them to be unrestricted, you must select COARS = 1. In this case, you will also designate the P_ORGIN (or P_ORGINCON, P_ORGXX and P_ORGXXCON) authorization object. However, you must be careful not to mark all fields of the objects, otherwise direct access is also possible. Therefore, always write two versions of the P_ORGIN authorization object, one with the functional permissions (permission levels, info types, and subtypes), and one with the organisational boundaries (personnel area, employee group, employee group, and organisation keys). In addition, you will of course need a P_ABAP for the relevant reports with the value COARS = 1.

You are using the SAP_ALL profile for interface users, and after upgrading to a new Support Package, do you get permission errors? While we cannot recommend using the SAP_ALL profile, we describe how you can resolve this problem in the short term. In newer SAP NetWeaver releases, the SAP_ALL profile no longer contains permissions for the S_RFCACL authorization object. This can lead to permission errors, such as for interface users who have the SAP_ALL profile assigned to them. Please note that we can only recommend using the SAP_ALL profile for absolute emergency users. Therefore, instead of applying this tip, you should preferably clear the permissions of your interface users. To learn how to do this, see Tip 27, "Define S_RFC permissions using usage data." However, such a cleanup of the privileges of your interface users cannot happen overnight. Therefore, we will explain how to resolve the issue in the short term.
Do you want to automatically monitor the security settings of your systems and receive convenient evaluations? We will explain how to use configuration validation. If you have a large SAP system landscape in use, the control of the many different security settings can be complex. You define your security requirements for the entire SAP system landscape; they concern, for example, the settings of the profile parameters, the handling of safety instructions or critical permissions that may only be assigned to emergency users. You can define these requirements in the SAP Solution Manager Configuration Validation application and evaluate compliance with these requirements in all systems.

Only adding an authorization object via SU24 does not automatically result in a check within the transaction. The developer has to include an authorization check exactly for this object in the program code.

If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.

For more information and implementation guidance, use SAP Note 1500054.

This is the only way to achieve a balanced cost-benefit ratio.
Zurück zum Seiteninhalt