Centrally view user favourites
Data ownership concept
You can't keep an eye on everything. Therefore, avoid that your colleagues do not assign users to a user group, and thus ensure that the user master data maintenance permissions check is correct. You do not want a user without a user group to be able to be created in your SAP systems? Users without a user group can be changed by all administrators with permission for any user group. You should also prevent incomplete permission checks when assigning roles and profiles to users without a permission group. Because it is possible to assign roles and permissions to a user first, and then assign a user group that does not have permission to assign roles and profiles. Finally, do you want to change the user group for an existing user without having permission for the new user group? In the following section we will show you how to secure your user master data maintenance.
You know that changing your SU24 data involves mixing the roles in question. Previously, the permission administrators had to select roles from, for example, the SUIM transaction to edit them. Often, the remixing of the respective roles is also forgotten. In order to ensure that you can set the mixing mode for the respective roles directly when maintaining the data in the transaction SU24, the function has been provided here with the respective support packages named in SAP Note 1896191. Correction is used to change the mixing mode for PFCG: On/Off/Roles. The function assigns the shuffle mode to the roles, which corresponds to step 2c of the transaction SU25 (see tip 43, "Customise Permissions After an Upgrade"). You can enable this function by using the value Y for the parameter SU2X_SET_FORCE_MIX in the table PRGN_CUST. The status of the mixing mode can be checked by clicking the button Mixing mode for PFCG: Enquire On/Off. By default, this feature is off. The Roles button (Use in Single Roles) identifies all the roles that the selected application contains and displays them directly in the SU24 transaction. You will receive a list of all matching roles in the SUPC transaction by selecting the Also-to-be-matched roles option, and you can now gradually update the roles.
User Information System (SUIM)
Authorization trace - Transaction: STUSOBTRACE - Transaction STUSOBTRACE is used to evaluate the authorization trace in the SAP system. This is a trace that collects authorization data over a longer period of time in several clients and user-independently and stores it in a database (table USOB_AUTHVALTRC).
The first step to eliminating sprawl in permissions is to prevent it. To do this, administrators should obtain an overview and the assigned authorizations should be checked regularly. This helps to identify problems and incorrectly assigned authorizations at an early stage. The workload monitor can help here. This shows which authorizations users are actually using. The use of authorizations can be analyzed selectively and exported to tables. This also helps to improve existing roles and to create new roles for the authorization model in SAP.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
This allows you to evaluate security-relevant configurations and critical permissions.
For each required transaction, you decide in detail which groups of people are allowed access.