SAP Authorizations Check for permissions on the old user group when assigning a new user group to a user - SAP Basis

Direkt zum Seiteninhalt
Check for permissions on the old user group when assigning a new user group to a user
Note the maintenance status of permissions in roles and their impact
In principle, a technical 4-eyes principle must be implemented within the complete development or customizing and transport process. Without additional tools, this can only be achieved in the SAP standard by assigning appropriate authorizations within the transport landscape. Depending on the strategies used, only certain transport steps within the development system should be assigned to users. When using the SAP Solution Manager ("ChaRM") for transport control, for example, only the authorizations for releasing transport tasks should normally be assigned here. The complete processing of a transport in the development system consists of four steps: Creating and releasing a transport request (the actual transport container), creating and releasing a transport task (the authorization for individual users to attach objects to the respective transport request).

You can't keep an eye on everything. Therefore, avoid that your colleagues do not assign users to a user group, and thus ensure that the user master data maintenance permissions check is correct. You do not want a user without a user group to be able to be created in your SAP systems? Users without a user group can be changed by all administrators with permission for any user group. You should also prevent incomplete permission checks when assigning roles and profiles to users without a permission group. Because it is possible to assign roles and permissions to a user first, and then assign a user group that does not have permission to assign roles and profiles. Finally, do you want to change the user group for an existing user without having permission for the new user group? In the following section we will show you how to secure your user master data maintenance.
Managed Services
Well-maintained suggestion values are extremely helpful for creating PFCG roles. We will give you a rough guide as to when it makes sense to maintain suggestion values. SAP provides suggested values for creating PFCG roles in the USOBT and USOBX tables via upgrades, support packages, or hints. These suggestion values include suggested values for permissions of SAP default applications that can be maintained in PFCG roles. Suggestion values are supplied not only for transaction codes, but also for Web Dynpro applications, RFC function blocks, or external services. You can customise these suggestion values to suit your needs. However, this does not happen in the supplied tables, but in the USOBT_C and USOBX_C customer tables. Care is carried out in the transaction SU24.

The website www.sap-corner.de offers a lot of useful information about SAP authorizations.

Existing log files are managed using the SM18 transaction. Here you can delete the log files in all active instances. This requires the indication of a minimum age in days for deletion. The smallest possible value is three days, without taking the current day into account in the calculation.

Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.

Of course, topics such as updating internal and third-party tools, integrating cloud solutions, modern hybrid infrastructures, defining and operating ongoing dynamic changes, etc.

The freeware Scribble Papers puts an end to the confusing paper chaos. The tool is also suitable for storing, structuring and quickly finding text documents and text snippets of all kinds in addition to notes.

With the help of the tool, users always know for what purpose a particular user has been given a particular permission.
SAP BASIS
Zurück zum Seiteninhalt