Check the SAP authorization concept
However, the authorization trace is not active by default, but must be explicitly activated via the profile parameter "auth/authorization_trace". In transaction RZ11 you can easily and quickly check if the parameter is already set. The profile parameter is set in transaction RZ10. By default, the profile parameter is active in SAP systems (profile parameter transport/systemtype = SAP) and inactive in customer systems (profile parameter transport/systemtype = CUSTOMER).
The change management process in the SAP® environment can be quite complex. Since program changes are usually transported into the production system, which can potentially have an impact on the annual financial statements, the audit of the process is an essential part of the annual financial statement audit. For this reason, it must be ensured that the process documentation is up-to-date and complete. It must also be ensured that appropriate classifications are defined for various types of change. This is because the process may subsequently differ for each classification. For example, the extent of the test and release steps varies depending on the criticality of the change, and they may even be shortened considerably for low-risk changes. However, it is crucial to justify this in a comprehensible manner. In the change management process, a sufficient test and release phase should be set up by the responsible department. This process step must also be documented in a comprehensible manner, even if it is not always easy to obtain the necessary evidence from the departments. In this process in particular, it is crucial that a clear dual control principle is established, which ensures that the developer is not also the person who ultimately carries out the transport into the productive environment. In preparation, the documentation should therefore be checked for completeness and up-to-dateness and, in a further step, whether the process defined in it has also been followed throughout the year.
Authorization concept of AS ABAP
In these cases, the total permissions from the RFC_SYSID, RFC_CLIENT, and RFC_USER fields will not be applied. However, you will always see a system message. These constraints cannot be changed by the settings of the customising switch ADD_S_RFCACL in the table PRGN_CUST.
Now, if a user attempts to execute a report (for example, by using the KE30 transaction), the user's permissions for that authorization object are checked. Therefore, you must adjust your permission roles accordingly. If the user does not have permission to access the object, his request is rejected. If it has a corresponding permission, the display will be restricted to the permitted area. Access is still allowed for all characteristics or value fields that are not defined as fields of the authorization object.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
Since the report has significantly higher maturities than step 3 of the transaction SU25, we advise you to apply this report only in a Y-landscape.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
It should be noted that they are very important for the operational execution of your SAP system and must not be deleted.