SAP Authorizations Schedule PFUD transaction on a regular basis - SAP Basis

Direkt zum Seiteninhalt
Schedule PFUD transaction on a regular basis
Permissions objects already included
You can disable this new behaviour for the SAP_ALL profile by setting the customising switch ADD_S_RFCACL to the value YES in the table PRGN_CUST. If the ADD_S_RFCACL entry is YES, SAP_ALL still contains the total permissions for the S_RFCACL authorization object.

In order to provide user authorisation support, you often need their information. However, there is also the possibility to view missing permissions centrally for all users. If a user has a permission issue, a ticket is usually displayed at support. However, it is difficult for a support worker to understand permissions errors because they have different permissions and are often missing detailed information about the application where the permission error occurred. In practice, therefore, support staff often help themselves by asking the user to send a screenshot of the transaction SU53. Because this transaction shows the last failed permission check. In many cases, however, the information displayed there is not helpful to the permission administrator. You may have seen that a screenshot from the SU53 transaction shows a missing permission for typical base authorization objects, such as S_ADMI_FCD, S_CTS_ADMI, or S_TRANSLAT, but you know that your check has nothing to do with the actual permissions problem in the application. So you need the opportunity to see for yourself.
Consolidate user-level role mapping
In order to be able to act fully at all times in emergency situations, an SAP emergency user must be available who has all authorizations for the entire SAP system (typically by means of the composite profile SAP_ALL). However, this not only makes him a great help, but also extremely dangerous, so that his use must be precisely regulated via a dedicated concept.

If you want to know more about SAP authorizations, visit the website

Depending on the configuration of root data and processes, different permission checks can be relevant, so that it makes sense to adjust the proposed values. If custom applications have been created in the form of Z-transactions, Web-Dynpro applications, or external services, you must maintain suggestion values for these applications to avoid having manual permissions in the PFCG roles. You must ensure that custom applications are not always visible in the SU24 transaction. This is the case for TADIR services and external services. To learn how to make these services available for suggestion maintenance, see Tip 38, "Use the SU22 and SU24 transactions correctly.".

The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".

This can be done via transaction SUPC.

To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.

Often the permissions to S_DATASET are too generous, the SPTH table is not well maintained and S_PATH is not used at all.
Zurück zum Seiteninhalt