Displaying sensitive data
Note the maintenance status of permissions in roles and their impact
If transactions are changed in the role menu of a single role, this option is automatically suggested to the operator. In this option, the profile generator will match the pre-existing permissions data with the SU24 transaction permission proposals from the role menu. If new permissions are added to the permission tree during this comparison, they will be marked with the Update status New. Permissions that existed before the match are assigned the Alt update status.
To release jobs - own jobs or jobs of other users - a permission for the object S_BTCH_JOB with the expression JOBACTION = RELE is still required. In running operations, scheduled batch jobs may be cancelled because a step user is deleted or locked. With the help of the BTCAUX09 programme, you can check jobs as an administrator to see if they can be cancelled in the future. If you want to run these jobs under another step user, you can change them either with the transaction SM37 or with the report BTC_MASS_JOB_CHANGE.
SAP Data Analytics
One way of gaining direct access to downstream systems from the development system and possibly performing unauthorized activities there is to use incorrectly configured interfaces. In principle, interfaces within a transport landscape should be avoided with regard to the criticality of the systems "uphill", i.e. from an "unsafe" to a "safe" system (e.g. E system to Q or P system). However, this cannot always be implemented; for example, such interfaces are needed within the transportation system. Without going too deeply into the subject, however, critical interfaces can be characterized by the following properties. Critical interfaces refer to a critical system and a critical client, contain an interface user with critical authorizations in the target client, contain its deposited password.
The indirect role assignment uses the evaluation paths PROFLO and PROFLINT for assigning the PFCG roles to the corresponding users. However, these evaluation methods ignore the object CP (central person), which represents the business partner in SAP CRM. In transaction PFUD, which provides for the user comparison, the evaluation paths US_ACTGR and SAP_TAGT are used. Again the object CP is not known.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
For example, in an authorization object for a company code, if the user is to be given the option of using company code 1000 in display mode only (i.e. read only), but company code 2000 in "change" and "display" mode, the object is defined accordingly with two instances.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
You can select the audit structures or area menus you use in role editing and import them into the roles as menus.