Authorization Analysis
Features of the SAP authorization concept
User trace - Transaction: STUSERTRACE - With the transaction STUSERTRACE you call the user trace. Basically, this is the authorization trace (transaction STUSOBTRACE), which filters for individual users. So you can call exactly the authorization trace and set the filter on a user. As with the authorization trace, the profile parameter "auth/authorization_trace" must be set accordingly in the parameter administration (transaction RZ10).
If it is clear that a cleanup is necessary, the first step should be a detailed analysis of the situation and a check of the security situation. Based on these checks, a redesign of the authorizations can be tackled.
Query Data from a Local Table
Manual authorization profile - To minimize the editing effort when using manual authorization profiles, you usually do not enter individual authorizations in the user master record, but authorizations combined into authorization profiles. Changes to access rights take effect for all users whose user master record contains the profile the next time they log on to the system. Users who have already logged on are therefore not initially affected by changes.
In the area of group consolidation, an authorization concept ensures that no data can be deliberately manipulated, for example to change balance sheets. This can prevent significant financial or reputational damage to banks and stakeholders. Furthermore, access to financial data of subdivisions of a group, such as individual business units or companies, must be restricted to those employees who are allowed to access it because their current activities require it. As a result, a controller of a business unit, for example, can only view the consolidated figures of his business unit, but not the figures of the entire group. Further authorization roles are required, for example, for external auditors. These auditors check all the figures for the entire group, but may only have read access to this data.
Authorizations can also be assigned via "Shortcut for SAP systems".
Although it is possible to create profiles manually, it is recommended to work with the profile generator.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
Then you compare the settings of your SAP systems with this target system on a daily basis and get an overview of the deviations.