In this series of articles we discuss the "tip" of the day. That is, real cases of requests received in counseling.
Today we discuss "is it worth using user parameters to manage permissions?" What are the advantages and disadvantages?
They are part of the SAP user master data and can be seen through the SU01 transaction. In fact there is a special tab in this transaction called precisely "Parameters"
Please note, not all fields support this functionality, to be able to check this you need to select the field within a certain transaction press F1 and enter the technical information (see image below)
then check for the presence of the field highlighted below
In case it is present it will be possible to used within, for example, transaction SU01
Modify a certain process: This is the most "critical" functionality, i.e., if a parameter with a certain value exists in a user's master data, a certain transaction (which exploits this parameter) may behave in a certain way. The same transaction used by another user, without that parameter will behave differently.
This last feature is the reason why usually the SU3 transaction, which allows users to modify user parameters for themselves, is not released. In favor of SU50 for example. We also discussed this in the article on what the SAP basic role should contain.
The SAP table where you can see all the user parameters is called TPARA while the table that contains the User - Parameter and Value link is called USR05.
It may not be so easy to find complete documentation on each parameter; in fact, some of them are documented through specific notes that one often comes across for specific issues.
Parameters can also be used in the case of SAP FIORI. In the case of using only the APP interface, thus via FIORI, it is suggested to change these parameters only via the web.
Can they also be used to manage aspects of the SAP authorization model?
In the standard in some contexts SAP has done this (see for example SAP CRM systems). However, a specific assessment needs to be made. In fact, one of the biggest issues is to remember this aspect in the long run.
What do I mean by that?
So what happens in the latter case? Users who should have that parameter do not have it (and thus additional calls to the help desk), users who should not have it, actually continue to have it. After years, it is also easy not to find documentation, and so it can also happen that no one then knows what it is really for.
What if you use automated user management tools, such as Identity Management or SAP GRC or IAS/IPS (Identity Authentication Service or Identity Provisioning Service) tools?
Clearly these tools are designed primarily to manage role assignments to users (although with some of these it is clearly possible to manage some other aspects of the user master data, including parameters).
It may therefore not be so simple to integrate the aspect introduced via a user parameter into these tools or anyway it will require additional effort.
In conclusion, consider carefully, especially taking into account the long run whether to use this functionality to manage the authorization aspects