Defining the Scope of Authorization Checks
If you are using the profile generator, you can reduce the scope of the authorization checks (Maintain the Authorization Default Values, transaction SU24).
When SAP system transactions are executed, a large number of authorization objects are often checked, since the transaction calls other work areas in the background. For these checks to be executed successfully, the user in question must have the appropriate authorizations. This results in some users having more authorization than they strictly need. It also leads to an increased maintenance workload.
When the profile generator generates a profile, it selects all of the authorizations associated with an activity. The generated profiles are not always complete (especially in older releases of the profile generator), meaning that you may have to add authorizations that are not contained in the profiles manually. (This is mainly the case with programs that call other programs, where the subprogram requires additional authorizations.) To simplify the administrative tasks with the profile generator, consider reducing the scope of the authorization checks in such cases.
If a user in PA calls a program that in turn calls an HR routine, the user requires the corresponding HR authorizations. If you have not installed the HR components, you may not want to assign all of the HR authorizations required for the PA report to the PA users. In this case, you can deactivate the authorization checks for HR authorizations in the PA transactions.
For an authorization check to be executed, it must be included in the source code of a transaction and must not be explicitly exempt from the check.
You can suppress authorization checks without changing the program code, as check indicators control authorization checks. You also use check indicators to control which objects appear in the profile generator and which field values are displayed there for editing before the authorization profiles are generated automatically.
SAP supplies defaults for check indicator and authorization field values, which you should copy. You can edit these copied defaults. Only do this once you have defined the authorization concept of your company.
You can reduce authorization checks within a transaction or exclude an authorization object globally from the check.
Authorization objects from the Basis (S_*) and Human Resource Management applications (P_*, PLOG) cannot be excluded from authorization checks. The field values for these objects are always checked.
For parameter or variant transactions, you cannot exclude authorization objects from a check directly, only using the authorization objects in the corresponding transaction.
As explained above, by reducing the scope of authorization checks, you simplify the administration tasks connected with the profile generator. Carefully consider which authorization checks you want to suppress. If you deactivate authorization checks, you permit users to perform tasks for which they are not explicitly authorized. Consider reducing the scope of authorization checks in the following cases:
-
You do not use the authorization object connected with the authorization check (as in the example above).
-
The authorization check for the object S_TCODE still protects the core transaction.
NoteThe S_TCODE authorization check only provides very general protection. This alone is not a reason to suppress an authorization check.
-
You want to avoid permitting all values for all authorization fields in the authorization object.
Instead of assigning the asterisk (*) as the placeholder value, you can suppress authorization checks for specific objects in specific transactions. You can use a standard authorization check for the same authorization object for other transactions.
CautionIf you reduce the scope of authorization checks, you allow users to perform activities without ensuring that the users have the required authorization. This can have undesired consequences. Consider very carefully before suppressing authorization checks.