Maintain transaction start permissions on call CALL TRANSACTION
Data ownership concept
For the entries in the SPTH table, note that the application defines whether a file is accessed with or without the path. For example, the related transactions ST11 (error log files) and AL11 (SAP directories) behave differently. While ST11 opens almost all files without a path (they are in the DIR_HOME directory anyway), AL11 basically uses fully specified file names with a path. An entry in the SPTH table with PATH = / is therefore misleading. It specifies that the defined access restrictions apply to all files specified by path. However, this only applies to applications that access files using a specified path. However, applications that access files without a path are not restricted; Files in the DIR_HOME directory may be excluded.
No external services can be added manually in transaction SU24. To do this, you must turn on a permission trace that takes over. You can enable the permission trace using the auth/authorisation_trace dynamic profile parameter. You can enable this parameter by using the transaction RZ11 (Profile Parameter Maintenance) by entering the value Y as a new value and selecting the Switch to All Servers setting.
Further training in the area of authorization management
You can view the contents of the checked permission fields by double-clicking on the respective variables. The Variables 1 tab displays the variables with the respective values used for this eligibility check. These values correspond to the values that you also see in the System Trace for Permissions. If a permission check ends with SY-SUBRC = 0 when no appropriate permissions are available, verify that the check is turned off locally via the SU24 or globally through the SU25 or AUTH_SWITCH_OBJECTS transactions.
In the SU22 transaction, the developers of an application maintain the proposed values for all required authorization objects; the authorisation trace helps in this. As described in SAP Note 543164, the dynamic profile parameter auth/authorisation_trace of the trace is set to Y (active) or F (active with filter). By inserting the SAP Notes 1854561 or the relevant support package from SAP Note 1847663, it is possible to define a filter for this trace via the STUSOBTRACE transaction, which you can restrict by the type of application, authorization objects, or user criteria.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
Implement SAP Note 1599128.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
If the role should only allow access to certain external services, regardless of the customising (or only to the external services specified in the customising), it becomes a little trickier.