Scenario-Based Authorization Checks

Delivering new authorization checks in existing SAP coding causes pain and disruption in existing SAP landscapes. To ease the pain of our customers, we provide a mechanism called scenario-based authorization checks.

New authorization checks have always posed problems for our customers. New authorization checks in existing coding break existing authorization concepts in business processes, forcing our customers to adapt roles and profiles. In the meantime business interruptions were unavoidable.

Reasons why delivering new authorization checks are necessary include the following:

• When you created your application, you did not cover all possible cases.

• New legal requirements force you to update your application.

• New technical advances provide the means to bypass by your existing security concept.

SAP or your own custom development can use scenario-based authorization checks to deliver new authorization checks for existing applications or business processes in an initially inactive state. Delivering in this way enables you to plan for and customize the implementation of the authorization checks in existing authorization concepts. Developers can decide to deliver scenario definitions in an active state, but active delivery should be the exception to the rule.

The scenario-based authorization check framework enables you to do the following:

• Do nothing.

  The scenarios are delivered inactively. It is up to you to decide if and how you want to make them productive. Development can deliver scenarios in an active state. In these exceptions, you cannot decide how and when to activate them.

• Make the new authorization checks delivered by SAP or your custom development productive, after existing roles and profiles have been adapted.

• Run through the scenario in trace mode to see what changed authorizations are necessary for you and decide on the authorization checks individually.