Use Authorization Trace to Track Checked Authorization Objects
- by Lawrence Chung, FI/CO Consultant
- October 15, 2008
The authorization trace feature in transaction ST01 can help you trace all authorization objects being checked at different levels. See an example showing how to use it and how it affects compliance issues in your system.
An authorization object is the key component in the SAP security process. Each authorization object defines what organizational element (e.g., company code) is being checked. It’s important in authorization design to know which authorization objects are being checked in each SAP transaction code.
Sarbanes-Oxley compliance and segregation of duties (SoD) are becoming more and more important in today’s business process design. In SAP implementations, a prerequisite for a good Sarbanes-Oxley and SoD design is to know what authorization checks are conducted in each SAP transaction.
Usually when handling an authorization issue, knowing what authorizations are being checked is one of the biggest headaches. Mostly it’s based on the functional expert’s experience. For example, putting an authorization group in a General Ledger (G/L) account master (Figure 1) can impose restrictions to its access, or you can restrict the posting to a certain document type by putting an authorization group in the document type configuration OBA7 (Figure 2).
Would you like to see this full item?