Excursus Special feature for authorizations for FIORI Apps under S/4HANA
Unclear responsibilities, especially between business and IT
The basic idea of the approach described below is to evaluate the previous usage behaviour (reverse engineering) for the definition of the required permissions. In the first step, you configure the retention time of usage data, because each SAP system logs the calls to bootable applications. This way, not only the user, at what time, what transaction, but also the user, which function block was called. These data are then condensed into daily, weekly and monthly aggregates and stored for a specified period. This statistical usage data is originally intended for performance analysis; You can also use them to determine the permissions you need. We described the configuration of the retention time of the statistical usage data in Tip 26, "Use usage data for role definition". Please also refer to our explanations on the involvement of your organisation's co-determination body in the storage and use of the statistical usage data. In addition to the settings described in Tip 26, you should also adjust the retention time for the RFC Client Profile (WO), RFC Client Destination Profile (WP), RFC Server Profile (WQ), and RFC Server Destination Profile (WR) task types using the SWNCCOLLPARREO Care View.
Standard users such as SAP* or DDIC should also be implemented correctly in accordance with the authorization concept or SAP's recommendations. An important preparatory action here is to check whether the passwords have been changed for all standard users.
Introduction & Best Practices
A user trace is therefore also a trace over a longer period of time. Currency of the trace execution, the authorization check is recorded exactly once for each user.
Transaction PFCG also offers you the option of automatically collecting permissions. Not every transaction entered into a single role via a role menu necessarily needs its own permission entry in the permission tree, because some transactions have identical or similar permission proposal values.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
Understanding the structure and functioning of the system is especially important for IT administration. It is not for nothing that "SAP Basis Administrator" is a separate professional field. On the page www.sap-corner.de you will find useful information on this topic.
In order for users to continue to perform their previous actions in the SAP system as usual, you as the permission administrator must revise or add to the authorisation expressions within the framework of the established permission concept.
So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.
If archive parameters are passed when scheduling a step, a check is performed on the object S_WFAR_PRI.