Eligibility proposal values
System trace function ST01
When considering the security of SAP transport landscapes, it is not only the production system that is relevant for auditing. The other systems, including the development systems, must also be included in the risk considerations. The SAP_ALL profile is still frequently used there instead of concrete roles. This article identifies the main risk areas.
Finally, the check logic provides for a row-level check within a table if you want to restrict access to the table contents depending on an organisational mapping. For example, if you want a user to view only the data from a table that affects the country where their work location is located, you must configure it accordingly. To do this, you define and activate organisation-relevant fields as an organisational criterion (see Tip 62, "Organisationally restrict table editing permissions"). To keep track of which users can access which tables, run the SUSR_TABLES_WITH_AUTH report. This report provides information about which user or single role has the S_TABU_DIS or S_TABU_NAM authorization objects. The result list shows all the authorised tables, their permissions, and their permission values.
PROGRAM START IN BATCH
The indirect role assignment uses the evaluation paths PROFLO and PROFLINT for assigning the PFCG roles to the corresponding users. However, these evaluation methods ignore the object CP (central person), which represents the business partner in SAP CRM. In transaction PFUD, which provides for the user comparison, the evaluation paths US_ACTGR and SAP_TAGT are used. Again the object CP is not known.
Put the values of the permission trace into the role menu: The applications (transactions, web-dynpro applications, RFCBausteine or web services) are detected through their startup permissions checks (S_TCODE, S_START, S_RFC, S_SERVICE) and can be added to the role menu of your role. In your role, go to the Menu tab and import these applications by clicking Apply Menus and selecting Import from Trace. A new window will open. Here you can evaluate the trace and view all recognised applications in the right window. To do this, click the Evaluate Trace button and select System Trace (ST01) > Local. In a new System Trace window, you can specify the evaluation criteria for the trace, such as the user using the Trace field only for users or the time period over which to record. Then click Evaluate. Then, in the right part of the window, you will see all the applications logged. Select the applications you want to apply to the Roles menu and click Apply. You can now decide how the applications appear in the Role menu. The application can be added to the role either as a permission proposal or as a menu item through the Add drop-down box. They can be displayed as a list or as a panel menu (insert as list) or according to the SAP menu tree in which the application is stored in the SAP menu (insert as SAP menu).
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
Managed Services supports central and efficient administration to ensure an optimal overview.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
The P_ABAP (HR-Reporting) authorization object is not required to execute reports, but is intended to improve performance during execution.