CHANGE TO A NEW ROLE APPROACH
At best, for the time in which an emergency user is in service, a separate log of the activities undertaken is written, which can then be evaluated. In the following chapter I would like to explain our best practice approach to implementing an emergency user concept. Our approach to using an emergency user concept We have had good experience with the use of the Xiting Authorizations Management Suite (XAMS) in this area. This suite consists of various modules for creating role concepts, managing permissions including a permission concept, and also enables the implementation of an emergency user concept. XAMS works here with a limited time assignment of reference users with extended privileges to enable the emergency user concept. A self-service application may be made with a justification and a period for allocating special rights. The application window is illustrated in an example in the following screenshot: Evaluation of the use of the Emergency User Concept Once this request has been initiated, a new mode will be opened for the user, in which he can work with the extended rights. In addition, depending on the configuration, a stored workflow can be initiated as an approval process, or pre-defined controllers will be notified by email to verify activities. Once the session has ended with the emergency user, the responsible persons will receive another email with the logged activity of the user with the extended permissions. One of these logs is shown in the next screenshot: These logs can also be viewed in the system. Here you will get an overview of all the sessions that have been run. In addition, it is possible to approve activities with special rights after an evaluation. This allows the controller to get an overview of the activities undertaken with the emergency user. If you are using this Emergency User Concept and following these steps, you can ensure: Each user on the production system retains his or her original necessary rights.
Without this provisioning component, adjustments to employee permissions in the respective IT resources would have to be implemented by the relevant system administrators. However, manual provisioning processes are by their very nature a source of errors. If an employee's tasks change, the system administrator should consider all active user accounts when modifying and deleting accounts. A modern IDM system therefore helps companies to keep track of users and their permissions, especially in complex and heterogeneous system landscapes.
Proactive and continuous optimization of system availability and performance
To add additional permissions for defined groups in the launchpad to PFCG roles, follow the steps described above. This time, you only select a "SAP Fiori tile group" instead of a "SAP Fiori tile catalogue". There are very few differences between permissions. Fiori Eligibility for OData Services The launch authorisation for the OData service stored in the backend from a Fiori app is queried on both the front-end and back-end servers when the application is launched. Therefore, this permission must be added to the appropriate role on both servers. The typical sequence of clicking on a Fiori app in the launchpad triggers the following steps: 1) When selecting the tile, the app Fiori implementation is called 2) The app retrieves dynamic data from the HTTP endpoint of the OData service on the frontend server from 3) An RFC call to the gateway activation of the backend system is followed, retrieving the relevant business logic 4) Now the Fiori permission for the corresponding OData service is queried on the backend 5) If this was successful the appropriate business logic permissions are queried in the OData service. To add the Fiori permission to run a OData service for an app to a role, please perform the following steps: In the PFCG, open the appropriate role in Change mode, perform steps on the following screenshot: 1) Select Menu tab 2) Arrow next to the "Transaction" button click 3) Select Permissions proposal.
Although you always make sure that authorization roles are generated when administering them, it happens again and again that there are red lights in the user assignment in the production systems. Have you considered user matching?
"Shortcut for SAP Systems" is a PC application that simplifies or even facilitates many activities in the SAP basis.
What is important is an end-to-end view based on the process and not just an individual view of the systems, services or components involved.
Basis administrators will therefore have to acquire a lot of expertise in operating containers.