List of required organisational levels and their value
Authorizations in SAP systems: what admins should look out for
You can also remove customer-specific organisational levels and convert them to a simple permission field. The report PFCG_ORGFIELD_DELETE serves for this purpose. It removes the permission field from the USORG table and changes the permission proposal values to that field. Finally, it goes through all the rolls that contain a shape to the field. However, it does not restore the old location of the field, because summarised values will no longer be separated when the field is elevated to the organisational level. Instead, the aggregated values are entered separately in each field. The PFCG_ORGFIELD_DELETE report also provides a value aid that shows only the customer's organisational levels. You can also use this value aid to determine all customer-specific organisational levels.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.
The test for the assignment of the SAP_ALL profile is carried out in the SOS differently than in the EWA: If a user is found, assigned to SAP_ALL, and you have not entered it in the corresponding whitelist, it will still be hidden in the subsequent permission checks. Identified users will be output either through a complete list or through examples of specific users. In both cases, you can download the full list in the SAP Solution Manager's ST14 transaction. You can use the Check ID to map user lists to the permission checks. However, you should note that these lists do not contain the evaluations of the whitelists.
RS_ABAP_SOURCE_SCAN
We advise you not to use the self-set password with a self-service as a generated password is more secure. The password is generated depending on the password rules; This is done by first evaluating the settings in the security policy assigned to the user. If no security policy has been assigned to the user, the system will consider the password rules in the profile parameters and in the customising table PRNG_CUST. In order for the associated security policy to be considered, you may need to include the correction provided with SAP Note 1890833. Remember that the BAPI_USER_CHANGE function block does not automatically unlock the user. In the event of a lock-out due to incorrect logins, you still have to unlock the user using the BAPI_USER_UNLOCK.
Existing log files are managed using the SM18 transaction. Here you can delete the log files in all active instances. This requires the indication of a minimum age in days for deletion. The smallest possible value is three days, without taking the current day into account in the calculation.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
Permissions are then set up only for these transactions.
The first step to eliminating sprawl in permissions is to prevent it.