Goal of an authorization concept
Prevent excessive permissions on HR reporting
To calculate the recommendations, you can filter the SAP notes by their productive system, by the SAP solution, and by the applications and components, by the technical system name, and by the time of publication. The recommendation is issued in the following categories: Security-relevant SAP information, information on performance optimisation, HotNews, information on changes in legal regulations, and notes on corrections in the ABAP system.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
The changes made by inserting the note or upgrading to the above support packages do not only affect the SAP_ALL profile. While it remains possible to assign the full RFC_SYSID, RFC_CLIENT, and RFC_USER permissions in principle; However, this can only be done manually in the PFCG transaction through the dialogue maintenance of the fields. In this case, another dialogue box will open, indicating the security risk. You must confirm this window. From this change of behaviour of the SAP_ALL profile, it follows that all automatic methods for taking over the overall authorisation are no longer available in the fields of the S_RFCACL authorization object.
Temporarily disable Central User Management
The applications (transactions, Web-Dynpro applications, RFC building blocks, or Web services) are detected through their startup permissions checks (S_TCODE, S_START, S_RFC, S_SERVICE) and can be placed in the role menu of your role. In your role, go to the Menu tab and import these applications by clicking Apply Menus and selecting Import from Trace. A new window will open. Here you can evaluate the trace and view all recognised applications in the right window. To do this, click the Evaluate Trace button and select System Trace (ST01) > Local. In a new System Trace window, you can specify the evaluation criteria for the trace, such as the user using the Trace field only for users or the time period over which to record. Then click Evaluate.
The More node details area allows you to configure additional settings. For example, by activating the Default Page setting, the selected transaction (in our example MM03) is called first when the parent folder (in our example of the Material Stems folder) is retrieved. The Invisible setting means that the transaction is not visible in the menu, but can be called from a button.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
An alternative to using the S_TABU_LIN authorization object is to create custom table views that make organisational delimitation easier to achieve.
It is also important to note which mandatory functional separation must be taken into account.