Note the maintenance status of permissions in roles and their impact
Query Data from Active Directory
For performance reasons, the SAP kernel checks whether a user is authorised in the permission buffer. However, only profiles and no roles are loaded into the permission buffer. Calling the SU56 transaction will cause you to parse the permission buffer, first displaying your own user's permission buffer. A pop-up window to change the user or authorization object will appear from the Other User/Permissions Object (F5) menu path. Here you can select the user you want to analyse in the corresponding field. The Permissions > Reset User Buffer path allows you to reload the permission buffer for the displayed user.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
The freeware Scribble Papers puts an end to the confusing paper chaos. The tool is also suitable for storing, structuring and quickly finding text documents and text snippets of all kinds in addition to notes.
Since the introduction of the security policy in SAP NetWeaver 7.31, this report has changed. In older releases, instead of the security policy overview, a profile parameter selection page is offered in the report's startup screen. If you select Show Profile Parameters in this selection view, you will see an overview of the Profile Parameters settings in the upper half of the screen. Here you should pay particular attention to the setting of the parameter login/no_ automatic_user_sapstar and check its setting even after the switch to the security policy.
Conclusion
For simplicity, we want to explain this example by using the PFCG_TIME_DEPENDENCY background job. This job calls the report RHAUTUPD_NEW or can be executed directly with the transaction PFUD. Imagine that there's no transactional code for this job yet.
Launch the QuickViewer for SAP Query with the SQVI transaction. Create a new query named ZMYSUIM on the entry screen. Enter a description of it and - this is the most important step - specify a table join as the data source. You can now specify your data sources on the following screen. You can select the tables in the menu via Edit > Insert Table (or by pressing the button ). In our case, this would be the AGR_ 1251 table for the Role Permissions Values and the AGR_USERS table for the user assignments in rolls. The system automatically proposes a join of the tables via shared data columns. In our example, this is the name of the role.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
To keep your role concept and your user administration maintainable and clean, it is recommended to delete these obsolete roles.
The SAP standard already provides some tables for logging; For an overview of these tables, see SAP Note 112388 (tables requiring logging).