Make sense in maintaining proposal values
User administration (transaction SU01)
After creating a authorization object, you should do the following: Make the permission check implementation at a convenient location in your code. Maintain the proposed values for the application in the transaction SU24. Re-load the role in the PFCG transaction if the application has already been rolled. If it is a new application, adjust the roles by including the new application in the Role menu, and then maintaining the permissions of the authorization objects loaded into the role by the suggestion values.
Even more critical is the assignment of the comprehensive SAP® standard profile SAP_ALL, which contains almost all rights in the system. Therefore, it should be assigned to a so-called emergency user at most. The handling of the emergency user should also be specified in the authorization concept, which should be documented in writing. In any case, the activities of the emergency user should be logged and checked regularly. Therefore, it is essential in preparation for the annual audit to check the current, as well as the historical, assignments of SAP_ALL. It is therefore not sufficient to simply quickly remove the SAP_ALL profile from users in the run-up to the annual audit. It must also be proven that the SAP_ALL profile was not briefly assigned for a few days over the audit period. If SAP_ALL assignments did occur, ideally these have already been documented and checked. If this is not the case, it is essential to create documentation that cannot be changed, in which it is proven why the assignment was necessary and that the user has not carried out any critical actions beyond this (filing and review of logging).
A complicated role construct
Launch the QuickViewer for SAP Query with the SQVI transaction. Create a new query named ZMYSUIM on the entry screen. Enter a description of it and - this is the most important step - specify a table join as the data source. You can now specify your data sources on the following screen. You can select the tables in the menu via Edit > Insert Table (or by pressing the button ). In our case, this would be the AGR_ 1251 table for the Role Permissions Values and the AGR_USERS table for the user assignments in rolls. The system automatically proposes a join of the tables via shared data columns. In our example, this is the name of the role.
If the proliferation has occurred because the authorization concept was not adhered to, a cleanup is sufficient. If the proliferation has arisen because there are errors and gaps in the authorization concept, these errors must be identified, eliminated and the authorizations optimized. If the concept can no longer be implemented in a meaningful way, or if it has already been set up incorrectly, it will be necessary to create a new one.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
You grant the members of an SAP project team the permissions they need to support the project.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
Note that playback stops when we encounter an error in the PFCG transaction, such as when we try to create a role with the input values that already exist.