Service User
System Users
Depending on the transaction invoked, the application can be more granular checked by this additional permission check. Therefore, transactions that are called with additional parameters might require more than one authorization object and must be protected programmatically. The following listing shows an example of a permission check that ensures that the logged-in user has the permission to start the SU24 transaction.
Existing log files are managed using the SM18 transaction. Here you can delete the log files in all active instances. This requires the indication of a minimum age in days for deletion. The smallest possible value is three days, without taking the current day into account in the calculation.
Eligibility proposal values
Users of your Web applications should have access to the applications that correspond to their particular business roles. You can use the S_START authorization object to map this request in the PFCG roles. Applications based on SAP products offer users different access methods, of which the use of SAP GUI with application-related SAP transactions is to be called "classic". In Web applications, application interfaces are represented in a Web browser. Not only transactional processes, but also the display of results from data analyses or static facts should be supported. The SAP transaction model, which controls access through the S_TCODE authorization object, does not meet these requirements.
Two equal permissions that meet the first maintenance status condition are also combined when all the values of the two permissions differ in one field or when a permission with all its fields is included in the other. However, if there are open permission fields in a permission, they will not be combined unless all permission fields in the permission values are the same.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
This also increases the dependency on the external tool, and the authorisation system is further removed from the SAP standard and the best practices recommended by SAP in role management.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
Thanks to the new feature provided with the Support Package mentioned in SAP Note 1847663, it is possible to use trace data from the privilege trace in the SU24 transaction for suggestion value maintenance.