Create permissions for customising
Reset Manually Maintained Organisation Levels to Roles
As with an SAP_NEW role, it is possible to generate an SAP_APP role. As with the SAP_APP profile, all permissions are included here, except the base permissions and the HCM permissions. The ability to create this role with the report REGENERATE_SAP_APP exists after inserting the SAP note 1703299. This report generates a role that is fully usable for all applications. However, we recommend using this role only for development and test systems.
This advanced functionality of the transaction SU53 is delivered via a patch. Please refer to SAP Note 1671117 for more information on the required support packages and technical background. Unsuccessful permission checks are now written to a ring buffer of the application server's Shared Memories. This will allow you to view failed permission checks in Web Dynpro applications or other user interfaces, which was not previously possible. Depending on the size of the ring buffer and system usage, up to 100 failed permissions checks per user can be displayed for the last three hours. The size of the ring buffer is calculated from the number of defined work processes. By default, 100 permission checks can be saved per workprocess. You can adjust this size using the auth/su53_buffer_entries profile parameter.
System trace function ST01
Since the introduction of the security policy in SAP NetWeaver 7.31, this report has changed. In older releases, instead of the security policy overview, a profile parameter selection page is offered in the report's startup screen. If you select Show Profile Parameters in this selection view, you will see an overview of the Profile Parameters settings in the upper half of the screen. Here you should pay particular attention to the setting of the parameter login/no_ automatic_user_sapstar and check its setting even after the switch to the security policy.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
Your system has inactive users? This is not only a security risk, as they often use an initial password, but also creates unnecessary licence costs. There will always be inactive users in your SAP system. There may be several reasons for this. For example, they may be management level users that are virtually unused because they are not using the ERP system. It could also be that employees no longer use their SAP user due to a change of position or that outsiders do not work on the SAP system for a while. In any case, you should ensure that these inactive users are either blocked or invalidated. Up to now, you had to select all inactive users with the help of the RSUSR200 report and then manually transfer them into the SU10 transaction to perform the blocking. You can now do this automatically.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
To reduce waiting times, you should archive the documents and set a logical index for key change documents.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
All settings described here can be made via the transaction SM30.