SAP Authorizations Set up login locks securely - SAP Basis

Direkt zum Seiteninhalt
Set up login locks securely
If the system trace has recorded permission data for this authorization object, it will appear in the right pane of the window. In the left pane, you can see the existing suggestion values. If you notice that you do not have any suggestion values that you think are necessary and have been recorded by the trace, you can set the suggestion values to Yes by selecting the appropriate row, column or field in the right pane and clicking the Apply button. You are free to make any manual adjustments to the field values. Afterwards, confirm maintenance and your changes are saved for this authorization object. Do the same for all other authorization objects.

Do this once in your system. For example, you can jump from the MM50 transaction to the MM01 transaction without explicitly assigning transaction startup permission to the MM01 transaction through the S_TCODE authorization object. You can see this call in your System Trace for Permissions in the Additional Information column for testing. There you can see that the CALL TRANSACTION call has disabled the permission check. The user is allowed to jump into the transaction MM01, although in the role assigned to him Z_MATERIALSTAMMDATEN only permissions for the transactions MM03 and MM50 are recorded.
Correct settings of the essential parameters
In these cases, the total permissions from the RFC_SYSID, RFC_CLIENT, and RFC_USER fields will not be applied. However, you will always see a system message. These constraints cannot be changed by the settings of the customising switch ADD_S_RFCACL in the table PRGN_CUST.

When creating the PFCG individual roles in the respective SAP system, you should create the menu structure so that they can be combined with other individual roles in a single role. Once you have created the individual roles with the correct role menu, you can assign them to a collection role. Add the Role Menu to the Collect Roll using the Read Menu button. The menu can now be finally sorted. If changes to the roll menu are necessary, however, you must first make them in the individual rolls and then remix them in the roll roll (using the Mix button, see figure next page above). Transactions from other SAP systems such as SAP CRM, SAP SCM etc. can also be integrated into the NWBC. To do this, you first create the PFCG role for the relevant transactions in the target system. From the individual roles you can create collection roles with a defined menu structure.

If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.

To do this, you define and activate organisation-relevant fields as an organisational criterion (see Tip 62, "Organisationally restrict table editing permissions").

For these events, you can then define individually configurable messages using the RSAU_WRITE_CUSTOMER_EVTS function block.
Zurück zum Seiteninhalt