Profile Generator uses the data entered through transaction SU24 to determine what authorization objects and field values are pulled into the activity group. It also allows the user to prevent certain authorization objects from being called when a transaction is executed.
When SAP transactions are executed, authorization objects can be checked before execution or full access is allowed. In order for these checks to be executed successfully, the user must have the appropriate authorizations in their user buffer.
For an authorization check to be executed, it must be included in the source code of a transaction and must not be explicitly exempt from the check within SU24. Authorization checks can be suppressed without changing the program code through check indicators. Also check indicators control which objects appear in the Profile Generator and which field values are displayed there for editing. The indicators that control authorization checks are listed below.
U Test Status -Object if defined in transaction code is checked.
N Object not checked when the transaction is called.
C Object checked when the transaction is called but values not entered into profile generator.
CM Object checked under the transaction and the field values are entered into profile generator.
SAP supplies defaults for check indicator and authorization field values in the tables USOBT and USOBX. You can then edit these defaults using SU24 and the edits will be reflected in the tables USOBT_C and USOBX_C. The field that determines the checks above is the check flag field. Below is the definition of the values for this field.
N object is not checked when the transaction is called even if it is in the code.
Y object is checked when the transaction is called. The values for the fields of the authorization object must be maintained in SU24 and is used by profile generator.
X object is checked, but the field values are not specified in SU24 there not used by profile generator.
U Not maintained.
Maintaining SU24
AS a good SAP Audit Compliance practice, transaction SU24 should be maintained so no manual authorization objects need to be added to the authorization tab on profile generator. Also if an incorrect authorization object or field value is brought into the profile generator it should be changed only through SU24. This will then allow only correct or blank field values are brought in so the correct values can be entered and the proper authorizations assigned.
These changes must only be made in the development environments and transported to all other environments so the USOBT_C and USOBX_C tables stay in sync in all environments.
When SAP transactions are executed, authorization objects can be checked before execution or full access is allowed. In order for these checks to be executed successfully, the user must have the appropriate authorizations in their user buffer.
For an authorization check to be executed, it must be included in the source code of a transaction and must not be explicitly exempt from the check within SU24. Authorization checks can be suppressed without changing the program code through check indicators. Also check indicators control which objects appear in the Profile Generator and which field values are displayed there for editing. The indicators that control authorization checks are listed below.
U Test Status -Object if defined in transaction code is checked.
N Object not checked when the transaction is called.
C Object checked when the transaction is called but values not entered into profile generator.
CM Object checked under the transaction and the field values are entered into profile generator.
SAP supplies defaults for check indicator and authorization field values in the tables USOBT and USOBX. You can then edit these defaults using SU24 and the edits will be reflected in the tables USOBT_C and USOBX_C. The field that determines the checks above is the check flag field. Below is the definition of the values for this field.
N object is not checked when the transaction is called even if it is in the code.
Y object is checked when the transaction is called. The values for the fields of the authorization object must be maintained in SU24 and is used by profile generator.
X object is checked, but the field values are not specified in SU24 there not used by profile generator.
U Not maintained.
Maintaining SU24
AS a good SAP Audit Compliance practice, transaction SU24 should be maintained so no manual authorization objects need to be added to the authorization tab on profile generator. Also if an incorrect authorization object or field value is brought into the profile generator it should be changed only through SU24. This will then allow only correct or blank field values are brought in so the correct values can be entered and the proper authorizations assigned.
These changes must only be made in the development environments and transported to all other environments so the USOBT_C and USOBX_C tables stay in sync in all environments.
Seeking for SAP system, contact Alenu Group Today! at (65) 6884 5030
No comments:
Post a Comment