Goal of an authorization concept
A complicated role construct
Tax reporting: The tax reporting system in SAP is based on the accounting area. The Profit Centre is not intended as a reporting unit here.
RFC connections are interfaces for many local and global system processes, but also a security-relevant source of errors for many companies. The RFC interfaces and associated system users often have too strong authorizations and can quickly be misused by unauthorized persons to view sensitive company data. It is therefore important to always keep these system connections in the focus of global monitoring and to check which RFC destinations lead where and what they do. For this purpose there is the program RSRFCCHK which allows you to perform specific tests for your RFC system landscape. On the one hand the content of the RFCDES table is checked and on the other hand the corresponding user properties of the system users are displayed as an overview. Consequently, important parameters such as the target machine, the client, the background user or also the password property can be checked in an overview.
Translating texts into permission roles
You will be aware that you do not necessarily have to move in the Customer Name Room when assigning names of PFCG roles and therefore have a lot of freedom. The only limitation here is that you may not use the namespace of the roles that are interpreted by SAP. First, you must agree on the form of the names. A fundamental decision is to define the language in which the PFCG roles must be maintained. Although this does not necessarily have an influence on the role name, since it is the same in all languages, you will certainly have descriptive elements in your role name. The role description and the long text are also depending on the language. It is therefore useful to start the roles in the language which is also used most frequently, and also to cultivate the descriptive texts first in this language. If roles are required in different languages, you can translate the texts.
How to maintain security policies and map them to your users is described in Tip 5, "Defining User Security Policy." You need a separate security policy for administrators to implement this tip, which is often useful for other reasons. In this security policy, you then set the policy attribute SERVER_LOGON_PRIVILEGE to 1. For example, you can also include the DISABLE_PASSWORD_LOGON policy attribute setting, because administrators often want to be able to log in with a password on the system.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
The freeware Scribble Papers is a "note box" in which all kinds of data can be stored. It takes in typed texts as well as graphics and entire documents. The data is then organised in folders and pages.
This ensures that your changes and connections to the respective PFCG roles are retained and new permissions checks for the new release are added to the applications.
In the SAP system, you can create derived roles for specific fields in authorization objects.