Conclusion and outlook
SAP authorizations: Recommendations for setting up, monitoring and controlling
In our example, the end user logs on to an SCM system, but can also call ERP transactions from here. To have these ERP transactions available in SAP SCM, create a new PFCGE role in SAP SCM, e.g. ZS:XXXX:ERP_MENU. The ERP transactions that the user should have access to are added to the roles menu by selecting Apply Menus > From Other Role > Destination System. Now select the appropriate ERP system and then select the appropriate PFCG role from SAP ERP. You do not need a profile for this "menu role" because this role only includes the ERP menu. You can now sort the transactions in the Hierarchy pane by using drag and drop or by using the arrow keys as you need them in the NWBC.
In the SU22 transaction, the developers of an application maintain the proposed values for all required authorization objects; the authorisation trace helps in this. As described in SAP Note 543164, the dynamic profile parameter auth/authorisation_trace of the trace is set to Y (active) or F (active with filter). By inserting the SAP Notes 1854561 or the relevant support package from SAP Note 1847663, it is possible to define a filter for this trace via the STUSOBTRACE transaction, which you can restrict by the type of application, authorization objects, or user criteria.
Perform upgrade rework for Y landscapes permission proposal values
Applications use the ABAP statement AUTHORITY-CHECK in the source code of the program to check whether the user has the appropriate authorizations and whether these authorizations are defined appropriately, that is, whether the user administrator has assigned the values required by the programmer for the fields. In this way, you can also protect transactions that are indirectly accessed by other programs. AUTHORITY-CHECK searches the profiles specified in the user master record for authorizations for the authorization object specified in the AUTHORITY-CHECK statement. If one of the determined authorizations matches one of the specified values, the check was successful.
The best way for companies to combat historically grown uncontrolled growth in authorizations is to prevent it. An analysis of whether the current authorization concept is sufficient for the company helps here.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
Change the password, assign it to the SUPER user group, and log it with the Security Audit Log.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
You can get an overview as follows: Call transaction SU22 (SAP tables) or SU24 (customer tables), enter e.g. "ME23N" in "Transaction code" and execute the transaction.