Change documents
Evaluation of the authorization check SU53
The SAP authorization concept also maps the organization of authorizations within the SAP system. The organizational structure defines responsibilities and the authorization hierarchy, while the process organization specifies process steps and the activities and authorization objects required for them in SAP. The authorization concept must therefore be flexible enough to allow future changes in the organization to be implemented quickly and in compliance with the rules.
We now want to describe the necessary settings in the sending application using the example of encrypted sending of initial passwords. To implement this requirement, you can use the BAdI BADI_IDENTITY_UPDATE. This BAdI is also only available via a support package starting from SAP NetWeaver AS ABAP 7.31. For details on the relevant support packages, see SAP Note 1750161. To implement the BAdIs, use the transaction SE18; there you can also see the example class CL_EXM_IM_IDENTITY_UPDATE. For the BAdI BADI_ IDENTITY_UPDATE, you must implement the SAVE method to the IF_BADI_IDENTITY_UPDATE interface.
SAP S/4HANA® Launch Pack for Authorizations
Some queries are also a bit complicated with the SUIM transaction. With SAP Query, you can quickly assemble queries that enable individual and more complex data evaluations. Do you want to know quickly which valid users currently have a modified access to a particular table, or what roles are users granted permission for a particular transaction? The SAP standard tool, the user information system, is an excellent solution for this type of data retrieval. However, at the latest during the next review, targeted queries with data combinations - and thus several SUIM query sequences - must be delivered within a short time. SAP queries can facilitate this task. An SAP Query is essentially a clear way to scan tables for specific data away from the SE16 transaction. There is the possibility to link multiple tables (join), which makes multiple SE16 queries just one SAP query. For example, if you want to know what roles users are entitled to perform the SCC4 transaction, you can use the SUIM transaction to query to determine which users can perform the transaction and view the roles that enable it in another query, but there is no result that shows both.
The critical permissions are defined in these steps: On the Entry screen, select the Critical Permissions button. You will now see two folder pairs in the dialogue tree: - Critical Permissions > Critical Permission - Critical Permission > Permissions Data. In Change Mode in the lower folder hierarchy, double-click the Critical Permission folder, and then select New Entries. In the right-hand pane of the screen, enter the appropriate data for the Eligibility, Text, Colour, and Transaction Code fields. Save your input. When saving, you are asked for a customising job. Please specify it accordingly. Select the entry you just created and double-click to open the Permissions Data folder to maintain the permissions data. Then create a variant. To do this, double-click the Variants to Critical Permissions folder and select New Entries. Enter the name and description of the variant and save your input. Now assign the identifier of the created critical permission to the variant. To do this, select the variant and then double-click in the Variants subfolder to get critical permissions > critical permissions in the input mask. Now click on New Items and select your variant from the list - in our example ZB01. Then save your input. Finally, you can run your report variant with critical permissions. To do this, go back to the RSUSR008_009_NEW entry screen and select the critical permissions option in the variant name pane. Now use the Value Help to select and run the variant you just created.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
The former checks whether authorization checks are present in the source code at all.
This applies to all reports that access the logical database PNPCE (or PNP).