Important components in the authorization concept
Temporarily disable Central User Management
The evaluation performance of the Security Audit Log was optimised from SAP NetWeaver 7.31. For this extension, you need a kernel patch. For the fixes and an overview of the required support packages, see SAP Note 1810913.
See SAP Note 1763089 for information on the system requirements and support packages you need to access the new feature. With these support packages the transaction SAIS, the new AIS cockpit, is delivered. The AIS has thus been switched from the previous role concept to thematic audit structures and offers new functions, such as logging all audit activities. The AIS has existed in the SAP system for quite a long time; It is designed as a tool for testing and evaluating SAP systems and is delivered by SAP ERP to the standard. It includes the function of audit structures, a collection of audit functions on the areas of commercial audit and system audit, including their documentation. The commercial audit includes organisational overviews and balance sheet and process orientated functions. For example, this allows you to evaluate information about financial accounting and tax receipts. The AIS system audit covers general system audits and analysis of users and permissions. For example, it includes functionality to check profile parameters or transport.
Authorization roles (transaction PFCG)
To maintain open permission fields in roles, you need information from the Permissions System Trace. But all transferred manually? Not with this new feature! If you have previously created PFCG roles, you must maintain all open permission fields manually. The information on which values can be entered can be read from the Permissions system trace and maintained manually in the PFCG role. However, this can be very complex, because a function that takes these values into the PFCG role has been missing.
This report checks the customising of the CRM business role for which the PFCG role is to be created, and writes all area start pages and logical links to a text file in the form of external services. This text file is stored locally in the SAP folder under c:/User//SAP. On the Menu tab of the PFCG role, you can upload this text file from File by selecting Menu > Import.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
In addition, RFC users in their daughter systems need permission to read the change documents using the S_USER_SYS authorization object with the new activity 08 (Read the change document).
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
For example, here you can read additional attributes to the new user from an external data source.