Perform Risk Analysis with the Critical Permissions Report
Use application search in transaction SAIS_SEARCH_APPL
A temporary shutdown of Central User Management is usually not recommended. However, in certain cases it may be necessary. We will show you what pre- and post-processing is required to avoid data inconsistencies. In complex SAP landscapes where the Central User Administration (ZBV) is used, there may be cases where you want to temporarily remove a subsidiary system from the ZBV without having to delete this system or shut down the entire ZBV, for example if you want to create users in a subsidiary system at short notice.
When programming your permission check, always check the SY-SUBRC return code and define what should happen in the event of a non-successful permission check, i.e. if SY-SUBRC is not equal to 0. In most cases, an error message occurs and the programme is cancelled.
Activity level
As part of identifying authorization problems, it should be documented what the risks are if the current situation is maintained. Often, those responsible in the company do not want to make a correction because it causes costs and work. If the current concept works and security gaps are abstract, many people in charge are reluctant to change anything. For these reasons, the first step should be to document what problems and dangers lurk if the current concept is not corrected: First, the risk of fraud, theft, and data privacy and security breaches increases. Documentation can help identify where dangers lie. There is a fundamental problem of financial damage to the company if action is not taken. Another danger is that users will experiment with their authorizations and cause damage that can be avoided by having a clean authorization structure. Also a problem is the increased administrative overhead of granting and managing permissions. The effort increases if the current role assignments are not transparent and optimally structured.
Entry into role maintenance requires the transport permission (S_USER_AGR, ACTVT = 02) in addition to the modification permission (S_USER_AGR, ACTVT = 21). If role recording requires creating new transport jobs or tasks, you need permissions to the transport objects (e.g. S_TRANSPRT with TTYPE = CUST or TASK and ACTVT = 02).
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
Use the Active/Inactive column to determine if the permission has been disabled.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
Currency of the trace execution, the authorization check is recorded exactly once for each user.