A concept for SAP authorizations prevents system errors and DSGVO violations
Security within the development system
The general SAP authorizations are used most often and for many things they are sufficient. For example, if only the HR department has access to the SAP HCM system. However, if other users come onto the system and you only want to allow them access to a limited number of personnel, then in the case of the general authorizations you have to deal with the organization key of infotype 1 (VSDK1), which must be hard-coded into the authorization roles. If ESS/MSS or Manager Desktop etc. now come into play, however, this means a large number of authorization roles, namely a separate one for each manager. This makes maintenance and servicing very time-consuming and your authorization concept becomes opaque, which in turn brings the much-quoted auditor onto the scene.
WF-BATCH: The WF-BATCH user is used for background processing in SAP Business Workflow and is created automatically when customising workflows. WF-BATCH is often associated with the SAP_ALL profile because the exact requirements for the permissions depend on the user's usage. The password of the user can be set and synchronised via the transaction SWU3. Safeguard measures: After automatic generation, change the user's password and assign it to the SUPER user group.
Basics SAP Authorizations including Fiori - Online Training
To read or modify data, a user must have both the privilege of performing a specific action and the privilege of accessing the object. The following privileges are distinguished in SAP HANA.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
At "www.sap-corner.de" you will also find a lot of useful information on the subject of SAP authorizations.
Regardless of whether you select the degree of simplification COARS = 1 or 2, you should not enter * or SAPDBPNP (programme name of logical database PNP) in the REPID field.