Authorizations in SAP BW, HANA and BW/4HANA
Set up permission to access Web Dynpro applications using S_START
If it is clear that a cleanup is necessary, the first step should be a detailed analysis of the situation and a check of the security situation. Based on these checks, a redesign of the authorizations can be tackled.
To release jobs - own jobs or jobs of other users - a permission for the object S_BTCH_JOB with the expression JOBACTION = RELE is still required. In running operations, scheduled batch jobs may be cancelled because a step user is deleted or locked. With the help of the BTCAUX09 programme, you can check jobs as an administrator to see if they can be cancelled in the future. If you want to run these jobs under another step user, you can change them either with the transaction SM37 or with the report BTC_MASS_JOB_CHANGE.
Optimise trace analysis
You can create such an organisational matrix as an Excel file or in ABAP; This depends on how you want to read the data. When using a common standard solution (e.g. SAP Access Control), a corresponding maintenance view is usually offered. We first describe how you can provide automated mass care in the form of a custom development.
The security of an SAP system is not only dependent on securing the production system. The development systems should also be considered, since here it is possible to influence the productive system via changes to be transported in the development environment and in customizing or via inadequately configured interfaces. Depending on the conceptual granularity of responsibilities in the development and customizing environment, more detailed authorization checks may need to be performed.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
Furthermore, all the new features of the transaction ST01, which we listed at the beginning of this tip, have been applied for evaluation.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
Then test whether the job can be run with the permissions from the PFCG role.