Set up permissions to access specific CO-PA measures
Optimization of SAP licenses by analyzing the activities of your SAP users
First, create an overview of the customising tables currently available in your system. To do this, open the DD02L table and search for tables that start with Y, Z or your specific customer name space. Tables with delivery class C (such as customising, found in column A) are the relevant tables in this context. The descriptive texts to the tables can be found in the table DD02T.
Define critical permission combinations that cannot be assigned in the monitored systems. A whitelist allows you to specify which users (such as emergency users) you want to exclude from the evaluation. Identify vulnerabilities in the configuration of your RFC interfaces, i.e. RFC connections, where users with extensive permissions (e.g., the SAP_ALL profile) are registered. These RFC connections can be used for the so-called RFC-Hopping, where access to an SAP system is made via such an extensively authorised RFC connection.
Unclear objectives and lack of definition of own security standards
Authorization trace - Transaction: STUSOBTRACE - Transaction STUSOBTRACE is used to evaluate the authorization trace in the SAP system. This is a trace that collects authorization data over a longer period of time in several clients and user-independently and stores it in a database (table USOB_AUTHVALTRC).
In the FIORI environment, there are basically two different types of access via a tile. One is the transactional tiles and the other is the native or analytical tiles :
Authorizations can also be assigned via "Shortcut for SAP systems".
User administrators then assign the appropriate roles (single role or composite role) via the user master record so that the user can use the appropriate transactions for his or her tasks.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
Is it necessary for your evaluations to select the blocked or invalid users? This is now directly possible with the extensions of the user information system.