Use Authorization Trace to Track Checked Authorization Objects

  • by Lawrence Chung, FI/CO Consultant
  • October 15, 2008
The authorization trace feature in transaction ST01 can help you trace all authorization objects being checked at different levels. See an example showing how to use it and how it affects compliance issues in your system.
Key Concept

An authorization object is the key component in the SAP security process. Each authorization object defines what organizational element (e.g., company code) is being checked. It’s important in authorization design to know which authorization objects are being checked in each SAP transaction code.

Sarbanes-Oxley compliance and segregation of duties (SoD) are becoming more and more important in today’s business process design. In SAP implementations, a prerequisite for a good Sarbanes-Oxley and SoD design is to know what authorization checks are conducted in each SAP transaction.

Usually when handling an authorization issue, knowing what authorizations are being checked is one of the biggest headaches. Mostly it’s based on the functional expert’s experience. For example, putting an authorization group in a General Ledger (G/L) account master (Figure 1) can impose restrictions to its access, or you can restrict the posting to a certain document type by putting an authorization group in the document type configuration OBA7 (Figure 2).

Lawrence Chung

Lawrence Chung has been working in SAP FI/CO since 1999 and was a consultant with SAP Hong Kong in 2001. He’s a CPA in Hong Kong and a fellow member of the Association of Chartered Certified Accountants. He has been acting as the lead FI/CO consultant in SAP implementations for many leading multinational corporations in various industries. He specializes in Controlling (CO-PA, CO-PC, and ML) and FI/CO integration with logistics (SD/MM, Service Management, and Project System).

See more by this author


Comments

No comments have been submitted on this article. 


Please log in to post a comment.

To learn more about subscription access to premium content, click here.