View system modifiability settings
Perform Risk Analysis with the Critical Permissions Report
The second example requires additional permission checks to display certain documents in the FBL*N transactions. This can be achieved by means of the expression and activation of a function block in the BTE, the so-called processes and events. The sample function module BTE for the event 1650 can be found in the FIBF transaction in the area of Publish-&-Subscribe interfaces (Environment > Information System (P/S)). The sample function module is basically used to enrich data in the item display. To do this, he passes the complete record per document line and expects it to be enriched back. This is exactly what we are using.
For performance reasons, the SAP kernel checks whether a user is authorised in the permission buffer. However, only profiles and no roles are loaded into the permission buffer. Calling the SU56 transaction will cause you to parse the permission buffer, first displaying your own user's permission buffer. A pop-up window to change the user or authorization object will appear from the Other User/Permissions Object (F5) menu path. Here you can select the user you want to analyse in the corresponding field. The Permissions > Reset User Buffer path allows you to reload the permission buffer for the displayed user.
Check the SAP authorization concept
If the proliferation has occurred because the authorization concept was not adhered to, a cleanup is sufficient. If the proliferation has arisen because there are errors and gaps in the authorization concept, these errors must be identified, eliminated and the authorizations optimized. If the concept can no longer be implemented in a meaningful way, or if it has already been set up incorrectly, it will be necessary to create a new one.
The valid programmes or transactions are stored in the SAP TPCPROGS delivery table, but do not follow a uniform naming convention. Part of the transaction code (e.g. AW01N), part of the report name (e.g. RFEPOS00), or the logical database (e.g. SAPDBADA) is relevant here. Logical databases (e.g. SAPDBADA, SAPDBBRF) are basic data selection programmes and are particularly used in financial accounting. The permission checks, including the time period delimitation, are implemented in the logical database and work for all reports based on a logical database (e.g. the RAGITT00 grid is based on SAPDBADA and the RFBILA00 balance sheet report is based on SAPDBSDF). When you copy the values from the TPCPROGS table, the TPC4 transaction is quickly configured.
Authorizations can also be assigned via "Shortcut for SAP systems".
There are several ways to restrict access to tables by using table tools.
After that, it is no longer possible to create new users whose names consist only of variants of spaces or non-visible special characters.