Set up permission to access Web Dynpro applications using S_START
Module
As an SAP SuccessFactors implementation partner, we are often confronted with complex authorization constellations. For sure: If a consulting company does not implement a process first and the "framework" is missing as a result, the existing SAP authorizations must be analyzed retrospectively and the underlying concept must be understood. Only then can the new process be meaningfully inserted into the authorization concept.
SAP Note 1854561 provides a new possible value for the auth/authorisation_trace parameter: F (Trace enabled with filter). Allows you to limit the permission trace to values that can be set by the filter. The filters are defined in the STUSOBTRACE transaction (see SAP Note 1847663).
Identify Executable Transaction Codes
SOS reports can be very comprehensive. In particular, if the Whitelists are not yet maintained, reporting volumes of up to 200 pages are not uncommon. Do not be discouraged in such a case, but start by cleaning up a manageable amount of critical SOS results. You can then edit the further results in several rounds. The AGS recommends which critical SOS results you should consider first; You can find these in the AGS Security Services Master slide set in the SAP Service Marketplace Media Library.
The AL08 transaction displays all logged-in users and their application servers. In the Server Name column, you can see which application server the user is logged on to, and which has the permission issue. Switch to this application server by calling the SM51 transaction and double-clicking the application server you are looking for. On the application server that is now active, run the permission trace as usual and review the evaluation.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
Here, too, you can take advantage of the values of the permission trace.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
Here you can check whether there are parameter or variant transactions for a given table, or for a particular view, for which you can set up permissions, instead of allowing access to the table through generic table access tools.