What to do when the auditor comes - Part 2: Authorizations and parameters
Limitations of authorization tools
You can access the ABAP Test Cockpit from the context menu of the object to be checked via Verify > ABAP Test Cockpit. Note that the global check variant of the Code Inspector that you created in the transaction SCI and that is entered as the default in the transaction ATC (ATC configuration) includes the security tests of the extended programme check of the SAP Code Vulnerability Analyser.
The next step is to maintain the permission values. Here, too, you can take advantage of the values of the permission trace. When you switch from the Role menu to the Permissions tab, you will generate startup permissions for all applications on the Role menu and display default permissions from the permissions suggestions. You can now add these suggested values to the trace data by clicking the button trace in the Button bar. First, select the authorization object that you want to maintain. There can be multiple permissions for each authorization object. Then load the trace data by clicking the Evaluate Trace button. A new window will open again, where you can set the evaluation criteria for the trace and limit the filter for applications either to applications in the menu or to all applications. Once the trace has been evaluated, you will be presented with all checked permission values for the selected authorization object. With the Apply button, you can now take the values line by line, column by column, or field by field.
Manual authorizations
The report PRGN_COMPRESS_TIMES provides a remedy. You can call it directly or in the edit mode of a PFCG role in the PFCG transaction via Tools > Optimise User Mapping.
Single role - Created using the role administration tool, it enables the automatic generation of an authorization profile. The role contains the authorization data and the logon menu of the users.
Authorizations can also be assigned via "Shortcut for SAP systems".
As in other systems, user maintenance and role/profile assignment must be restricted to the group of user administrators.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
The evaluation is similar to the evaluation of the system trace in the transaction ST01.