Limitations of authorization tools
Displaying sensitive data
Depending on the configuration of root data and processes, different permission checks can be relevant, so that it makes sense to adjust the proposed values. If custom applications have been created in the form of Z-transactions, Web-Dynpro applications, or external services, you must maintain suggestion values for these applications to avoid having manual permissions in the PFCG roles. You must ensure that custom applications are not always visible in the SU24 transaction. This is the case for TADIR services and external services. To learn how to make these services available for suggestion maintenance, see Tip 38, "Use the SU22 and SU24 transactions correctly.".
Different users in your SAP system will have different password rules, password changes, and login restrictions. The new security policy allows you to define these user-specific and client-specific. It happens again and again that there are special requirements for password rules, password changes and login restrictions for different users in your SAP system. There may be different reasons for this.
Ensuring secure administration
You can find the evaluation methods in table T77AW. A valid evaluation method for our example is US_ACTGR. To assign the roles indirectly, the following requirements are required: Organisational management must be active, i.e. you must have defined an active plan variant in the client. To be able to use the employee-user connection in a SAPERP-HCM system, Info Type 0105 (Communication) and Subtype 0001 (User ID) must be maintained. To enable role management via organisational management, you must set the HR_ORG_ACTIVE switch in the PRGN_CUST table to YES in the Customising.
Applications use the ABAP statement AUTHORITY-CHECK in the source code of the program to check whether the user has the appropriate authorizations and whether these authorizations are defined appropriately, that is, whether the user administrator has assigned the values required by the programmer for the fields. In this way, you can also protect transactions that are indirectly accessed by other programs. AUTHORITY-CHECK searches the profiles specified in the user master record for authorizations for the authorization object specified in the AUTHORITY-CHECK statement. If one of the determined authorizations matches one of the specified values, the check was successful.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
SAP Basis is the foundation of any SAP system. You can find a lot of useful information about it on this page: www.sap-corner.de.
In the first part on this topic, the focus was on the relevant processes and documentation.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
You can see this call in your System Trace for Permissions in the Additional Information column for testing.