Lukardi

Webinar: Jak autoryzacje w ECC wpływają na koszty licencji w S/4 Rise with SAP  

SAP Authorizations - A Collection of Basic Concepts Part 2

Share

Did you enjoy our last overview of SAP terms? If so, welcome to part two, where we continue to build a glossary of basic elements of the SAP authorization world.

Glossary of the basic elements of the SAP authorization world

Authorization object (Authorization object) - an important SAP component from the perspective of authorizations, whereby user access (or more precisely, user authorizations) are controlled by means of controls programmed into the object. The object usually consists of different fields, e.g. ACTVT (activities) and BUKRS (business unit). The authorization object is created in the SU21 transaction.

Field and field values of an object (Field and field value) - The authorization object consists of fields, and the fields must be filled with values for the authorizations to work. For example, to display accounting documents, the ACTVT field must be filled with the value 03 (display), and the BRGRU (authorization group) field with the corresponding group to which the documents are assigned.

GRC (Governance, Risk and Compliance) - A technology and business area in companies whose main challenges are defining and controlling risks and compliance. In a nutshell. SAST is one of the tools available on the global market for managing GRC in small and large organizations.

Authorization conflict - In the human world, it only takes two people interacting with each other for conflict to arise. In the SAP conflict ecosystem of entitlements, it's at least two transactions or sub-processes that, when put together, generate conflict that is business or technical risk.

SoD (Segregation of Duties). - i.e., segregation of duties. According to SAP standards, access to transactions should be properly organized so that the company does not put itself at risk. What kind of division of duties is involved? For example, such that Anna completes employee data for bank accounts and Johnny releases transfers to employees on payday, one person should not have authority for both activities because such a situation would allow potential abuse of authority. Such a separation and job model must be designed before creating target roles.


Authorization conflicts matrix/matrix
- A set of grouped conflicts, or "what's in conflict with what." It is good practice to group conflicts by SAP modules, and be sure to implement your own zet solutions in the matrix. SAST Authorization Management provides a conflict library with more than 100 defined conflicts by module and process.

Trace/tracking - using ST01 (or SAST SGM) transactions, you can track the actions performed by the user on the principle of collecting a log by the system with information about the called transactions and actions (broken down into objects and values). Trace is often used when creating new roles when filling in fields in a role is not obvious, or when repeated messages about lack of authorization appear.

Firefighter - Special user, dedicated to emergency situations. He or she is often assigned roles with extended privileges to act on "fires" on the system. For example, when something needs to be fixed quickly so as not to disrupt business processes. Such users are often assigned to external users like module consultants or developers. SAST Super User Management allows you to manage firefighter users by request and approval of the system admin, or for permanent access. Every action of such a firefighter from the moment of login is monitored and recorded in the system logs.

SAP_ALL - A profile with full values for each active authorization object on the system. A user with such a profile has full authorizations in business modules (FI, HR, MM, etc.) as well as developers and system administration. It is not recommended to give such profiles to users, especially on a production system. So why is it such a popular slip-up for administrators? Assigning SAP_ALL to a user takes 3 seconds, while analyzing and preparing dedicated roles, testing and possible corrections (laced with impatient comments from the target recipients of the roles) takes a bit longer....

Stars - magical asterisks ("*") may appear in the comments of auditors reviewing our SAP roles "oh, and here are the asterisks themselves, someone went for the easy way, did anyone verify these roles at all"? "Why does the junior accountant have asterisks on documents, accounts and activities"? What stars are you referring to? Asterisks in SAP = everything, i.e. full authorization on a given authorization object, e.g. every type of action, every document, every table, etc.

SU53 -. "send me the SU53 screen shot," you may hear from your authorization admin. This is a transaction that will allow you to quickly verify missing permissions (for your user) in the form of an authorization object and value.

Need more information? Get in touch with us!

If you like our glossary and would like to participate in the dedicated SAP entitlement and conflict workshop - write to us.

We will propose an interesting and tailor-made formula for you.

We Manage the Digital Transformation of Your Business

Do you want to secure your business from cyberattacks? Or are you planning a digital transformation or looking for IT specialists for a project? We'd be happy to help. We are here for you. Let's talk about professional IT services for your business.

Bernadeta Szwarc