Print this page
Tuesday, 07 January 2020 14:31

New value help (F4) authorizations

Value Help Overview

Users of an SAP System can use the F4 key to obtain information about the possible input values for a certain field on the screen. This Value Help functionality is very useful for the users as it provides the list of appropriate values to enter while executing specific transactions in SAP.
To get the values in F4, the user needs to have Display access (ACTVT - 03) for the Authorization Object corresponding to the input field/business object that the user is using for Value Help.

Challenges from Security Perspective

Providing Display access to the Business Object not only provides access to Value Help, it also allows access to the full scope of the respective Business Object. The Value Help provides the subset of information about the Business Object, such as Document Number, Type of document, etc.
To provide access to Value Help, you need to provide Display access ACTVT – 03. This however, then enables complete access to that Business Object, ie:.  the entire details about a specific document, regardless of whether the user is entitled to view all those details.

Solution as a part of new Enhancement in Authorization Concept

To overcome this limitation, SAP has introduced a new authorization concept which distinguishes between Value Help and Display Access.
This enhancement in authorization is available in S4HANA Systems (S/4HANA On Premise Edition 1809 or higher). As a part of this enhancement, new activity value “F4” has been introduced which restricts access to Value Help only and prevents access to the full scope of the Business entity.
The schematic diagram below describes the difference between ACTVT 03 and ACTVT F4.

F4 differences, activities 03 and F4

Note: The users who have neither ACTVT 03 nor F4 will not be able to see any data in Value Help.

The Value help Authorization restriction has been applied to multiple transactions, web services and web dynpro applications from different SAP Modules. Please see the note 2682142 - Introduction of activity value 'Value Help' in authorization objects for detailed list.

The tables below may be helpful in analyzing the F4 access restrictions :

  • TACT – List of all the Activity values
  • TACTZ – The mapping of Authorization Objects to ACVT values (it can be used to identify objects having ACTVT F4)

Implementation

The new Authorization defaults are delivered by SAP via the relevant Support Package. When the system is upgraded, you can perform the following Post Processing steps via Transaction SU25.

  • Step 2a - To prepare the comparison for SU24 values
  • Step 2b - If you have made changes to check indicators or field values in transaction SU24, you can compare these with the new SAP default values. The values delivered by SAP are displayed next to the values you have chosen so that you can adjust them if necessary.

As of Basis Version 7.31, you can use SU24 and choose "Default Values Comparison" to restrict the comparison to individual applications (selection by name, development package or application component).

During the implementation phase, in order to prevent any interruption in business activities:

  • You can follow SAP Note 2606478 - REGENERATE_SAP_NEW | bridging authorizations for input helps to assign the full F4 access using role SAP_NEW_F4. Use the report REGENERATE_SAP_NEW for generating role SAP_NEW_F4. Once the role is created, it can be assigned to users that need full Value Help access.

  • Report SU24_REVERT_F4 can be used to remove the Default values (only for ACTVT F4) in SU24.

  • Once the project is stable and ready to use the Value Help restrictions, run step 2a in SU25. This will populate the SU24 defaults with new F4 values.

 

Nandkishor Shinde

Nandkishor Shinde

SAP Security Consultant
SecurityBridge Product Consultant

Email This email address is being protected from spambots. You need JavaScript enabled to view it.

Related items