Limitations of authorization tools
Excursus Special feature for authorizations for FIORI Apps under S/4HANA
Business objects to which companies refer authorizations are defined in the system as authorization objects. For individual conditions, SAP delivers the authorization objects F_FICO_IND and F_FICO_AIN. With F_FICO_IND you can define which individual conditions are checked when processing the contract depending on the defined authorization fields and their characteristics. Using the authorization object F_FICO_AIN, companies can define whether and how individual conditions are to be checked when processing in the BAPI channel depending on the defined authorization fields and their characteristics.
The relevant authorization objects are then displayed in an ALV list and the documentation for the authorization object can be called up via the I in the Docu column. This documentation then displays much more detailed information about the respective authorization object as well as the defined fields.
Hash values of user passwords
There is a special feature for roles if the corresponding SAP system is based on S/4HANA. While under SAP ERP only roles with authorizations for the GUI system were relevant, corresponding business roles are required for the applications under FIORI. In addition to the roles in which authorization objects and authorization values are entered, so-called business roles are also required.
For the transport of PFCG roles with their profiles there is also an SAP notice: Note 1380203. If you enter the correction, it is possible to use separate positions for the third and fourth digits of the generated profile name for the definition. In the SAP standard, the name of a generated profile is composed as follows, for example, if the System ID is ADG: T-AG#####. If your other source systems differ only in the second place of the system ID, the profile name does not indicate from which system the profiles originate.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
SAP Basis refers to the administration of SAP system that includes activities like installation and configuration, load balancing, and performance of SAP applications running on Java stack and SAP ABAP. This includes the maintenance of different services related to database, operating system, application and web servers in SAP system landscape and stopping and starting the system. Here you can find some useful information about SAP Basis: www.sap-corner.de.
When displaying or posting receipts in SAP Finance, are the standard eligibility checks insufficient? Use document validation, BTEs, or BAdIs for additional permission checks.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
This makes authorization concepts, authorization tools and automated protection of the SAP system all the more important in order to meet the stringent legal requirements with little administrative effort.