SAP Authorizations Query Data from Active Directory - SAP Basis

Direkt zum Seiteninhalt
Query Data from Active Directory
Task & functionality of the SAP authorization concept
The SAP standard offers various ways to record and play on a massive scale. These tools are generally available for all operations in the SAP system, not just for role maintenance. Therefore, they are also more complex to operate, in order to be able to cover as flexibly as possible all possible application scenarios. eCATT is also no exception, so many users are still afraid to use it. But we can tell you from experience: After the second or third time, the creation of the test scripts is so quick that you'll wonder why you haven't always done it this way.

Changes to SAP user data should be uncomplicated and fast. Users can make requests for SAP systems themselves. In exceptional and emergency situations, SAP users should be assigned extended authorizations quickly and for a limited period of time. Simplified assignment and control of exception authorizations in SAP systems is required. You can freely and flexibly determine the duration of these authorization assignments. Decisions can be controlled and monitored across systems. Whether it's recertification of SAP users, vacation requests or birthday wishes: all these things can now be processed and managed centrally in one place.
Features of the SAP authorization concept
However, the permission trace is a long-term trace that you can turn on using the auth/authorisation_trace dynamic profile parameter. This trace is user- and client-independent. In the USOB_AUTHVALTRC table, the trace supplements the permissions checks that were not captured before the application ran. This function can also be used for customer-specific developments. Now, go to the RZ11 transaction, enter the auth/authorisation_trace parameter name in the selection box, and click View. You will now get to the detailed view of the profile parameter with all properties and the link to a documentation. To turn the trace on, click Change Value and a pop-up window will open. Enter "Y" or "F" for filters here if you want to define a filter (see Tip 38, "Use SU22 and SU24 transactions correctly") and save your input. A warning appears informing you that the parameter value would be reset when the application server is launched.

In a redesign, we follow the principle of job-related workstation roles to technically map the job profile of the employees. To minimize the effort for the same job profiles with different organizational affiliations, the organizational units are inherited via an additional role. The separation of technical and organizational requirements greatly simplifies role development and modification. If certain people, such as team leaders, require extended authorizations, key user roles are developed for them, which extend the existing job role.

If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.

This entry only forces a permission check on S_PATH and the ALL permission group; You should, however, only grant such permission very restrictively.

This value occurs for the following users: - technical user - user is not present - user is not valid - user is of type reference user.
SAP BASIS
Zurück zum Seiteninhalt