Challenges in authorization management
Immediate authorization check - SU53
You can also evaluate the application log through the SLG1 (ATAX object) transaction; the output of the report CA_TAXLOG seems more useful here. Finally, we have some important information for you: There are individual programmes that can be used read-only, but also offer options for updates to the database. In these cases, additional logic was implemented (e.g. in SAP Note 925217 to the RFUMSV00 programme for the sales tax pre-reporting). Action log data can be accessed via the transaction SLG2 (Object: ATAX) (see also SAP Note 530733). If you want to customise for the annual permissions directly in the production system (so-called "current setting"), the SAP Note 782707 describes how to do this. Basic information about Current Settings is provided in SAP Notes 135028 and 356483. SAP Note 788313 describes in detail the functional components of the time-space test and the additional logging and also serves as a "cookbook" to use in customer-specific developments. How you can prevent access to the SAP menu and only show the user menu to the user, we described in Tip 47, "Customising User and Permissions Management".
This solution is only available via a support package starting with SAP NetWeaver AS ABAP 731 and requires a kernel patch. For details on the relevant support packages, see SAP Note 1891583. In principle, user login to the application server can then be restricted by setting the new login/server_logon_restriction profile parameter.
Consolidate user-level role mapping
Structural authorizations have a so-called root object, i.e. a starting point and an associated evaluation path. The organization chart of the company is stored in SAP HCM. This makes it possible to see how which positions are linked to each other. If a specific piece of information about an employee is required, it can be read out via a path. At the end there is a list of objects.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
If you want to know more about SAP authorizations, visit the website "www.sap-corner.de".
For this extension, you need a kernel patch.