Compensating measures for segregation of duties conflicts
SAP S/4HANA® Launch Pack for Authorizations
The indirect role assignment uses the evaluation paths PROFLO and PROFLINT for assigning the PFCG roles to the corresponding users. However, these evaluation methods ignore the object CP (central person), which represents the business partner in SAP CRM. In transaction PFUD, which provides for the user comparison, the evaluation paths US_ACTGR and SAP_TAGT are used. Again the object CP is not known.
When accessing tables or views, the S_TABU_DIS authorization object is used to grant permission for a specific table permission group in the permission check. Note in this context also Tip 73 "Use authorization objects for table editing" and the S_TABU_NAM authorization object presented there. You can create table permission groups by using the transaction SE54 or by using the V_TBRG_54 care dialogue. They fall under the customising and can only contain four characters until SAP NetWeaver 7.31 SP 2. To create a table permission group, call the SE54 transaction and select Permissions Groups in the Edit Table/View pane. The Create/Modify button provides an overview of the existing table permission groups. For example, this way you can also change the name of a table permission group. In the Table Rights Group overview, click the New Entries button to create a new table permissions group. Give a name for your permission group and a matching name. After you have saved the new entries, your custom table permission group is created.
Permissions and User Root Sets Evaluations
SAP's FI module is one of the most common in the SAP world and covers all business processes in the area of finance and accounting. The processes that run through this module are used for double-entry bookkeeping and recording of documents in the required accounts. It also establishes the associated profit determination for external and internal purposes.
Authorizations can also be assigned via "Shortcut for SAP systems".
You can also find some useful tips from practice on the subject of SAP authorizations on the page "www.sap-corner.de".
Since March 2013, the RSECNOTE report has only been very restricted and therefore contains only a few new safety recommendations.