A concept for SAP authorizations prevents system errors and DSGVO violations
Features of the SAP authorization concept
If the ID is maintained for all affected clients, there is no longer a risk that the six digits used from the fifth position of the generated profile name will be the same. For more information on how to handle generated profiles in complex system landscapes, see Tip 54, "Managing Generated Profile Names in Complex System Landscapes.".
The SU10 transaction, as the user administrator, helps you maintain bulk user master records. You can now also select the user data by login data. You're probably familiar with this. You have blocked users, for example, so that a support package can be included. Some users, such as administrators, are not affected. For collective unlocking, you only want to select users with an administrator lock. The mass maintenance tool for users in the transaction SU10 is available for this purpose. This transaction allows you to select by user and then perform an action on all selected users. Until now, users could only be selected by address data and permission data.
Temporarily disable Central User Management
First, select the authorization object that you want to maintain. There can be multiple permissions for each authorization object. Then load the trace data by clicking the Evaluate Trace button. A new window will open again, where you can set the evaluation criteria for the trace and limit the filter for applications either to applications in the menu or to all applications. Once the trace has been evaluated, you will be presented with all checked permission values for the selected authorization object. With the Apply button, you can now take the values line by line, column by column, or field by field. In the left part of the window, you will see the permission values added to the suggestion values already visible. After confirming these entries, you will be returned to the detail view of your role. You can see here the additions to the permission values for your authorization object.
It is very important that critical authorizations are generally subject to a monitoring process in order to be able to ensure that they are assigned in a productive system in a very restricted manner or not at all. Law-critical authorizations in particular, such as deleting all change documents, debugging ABAP programs with Replace, and deleting version histories, must never be assigned in a production system, as these authorizations can be used to violate the erasure ban, among other things. It must therefore be ensured that these authorizations have not been assigned to any user, not even to SAP® base administrators.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
When you save permission proposal values in transport orders, you will notice that generic entries are used instead of detailed BOMs. These generic entries mark all applications, for example, with TR*..
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
The downloading of the table must be monthly.