Extend permission checks for documents in FI
Communication User
Which authorization objects are checked (SU22)? When calling a transaction, such as the ME23N, various authorization objects are checked. You can get an overview as follows: Call transaction SU22 (SAP tables) or SU24 (customer tables), enter e.g. "ME23N" in "Transaction code" and execute the transaction. As a result you will see all authorization objects that are checked when calling transaction ME23N.
This start authorization check is delivered inactive. To use it, you must activate it. After activation, you can use authorizations to control which Web Dynpro ABAP applications users are allowed to run. For the start authorization check of Web Dynpro ABAP applications, the system uses the authorization object S_START in the same way as the authorization object S_TCODE for transactions. The object has the fields AUTHPGMID, AUTHOBJTYP and AUTHOBJNAM, which correspond to the key fields PGMID, OBJECT and OBJ_NAME of the object catalog (table TADIR). So, during the start authorization check, the Web Dynpro ABAP runtime checks the key of the object catalog entry for the Web Dynpro ABAP application.
Use timestamp in transaction SU25
I show how SAP authorizations can be assessed and monitored by using the Three Lines of Defense model. This method can be applied even if the model is not used for all enterprise risks. You will learn how to integrate the different stakeholders into the lines of defense and harmonize the knowledge for the process. Also, what tools can be used for controls and cleanups in each case. This ensures, for example, that managers are able to assess the risks and derive measures, and that administrators can technically clean up the risks.
Certain SAP authorizations, including those for table maintenance (S_TABU_*) require special attention for data protection reasons. These are known as critical authorizations. In the course of authorization planning, a company should determine which authorizations are to be considered critical, which roles may receive which critical authorizations or values for critical authorization fields, and so on. The German Federal Office for Information Security has compiled detailed information on defining critical authorizations.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
To define the proposed values for the new transaction, use the transaction SU24_S_TABU_NAM.
Done! Now the query can be started with the Run button.