System Settings
Starting Web Dynpro ABAP applications
Until now, there were no ways to define different password rules or password change requirements for these users. Today, this is possible with the security guidelines that you assign to users and clients. In the following we will show you how to define security policies and how they work.
If you use configuration validation, we still recommend that you use the AGS Security Services, such as the EarlyWatch Alerts and SAP Security Optimisation Services, which we describe in Tip 93, "AGS Security Services." SAP keeps the specifications and recommendations in the AGS Security Services up to date and adapts them to new attack methods and security specifications. If you have identified new security issues within a security service, you can set your target systems accordingly and monitor these aspects in the future.
Automatically pre-document user master data
On the other hand one can call the system trace over the transaction ST01. Here it is possible to set individual filters for the checks. In addition, you can switch off the trade via the "Trace off" button or the F8 key and switch the trace back on via the "Trace on" button that is then displayed or the F7 key. If you click on the button "Evaluation" or the F2 key, you can display the evaluation.
Determine if all recurring external services corresponding to area start pages and logical links have been removed from the GENERIC_OP_LINKS folder. Create a separate PFCG role for this folder. This PFCG role could contain all the basic permissions a user must have in SAP CRM. This includes the permission for the generic OP links. You can transfer this folder to a separate PFCG role by locally specifying the PFCG role that contains the GENERIC_OP_LINKS folder in the new PFCG role under Menu > Other Role >. Now maintain the PFCG role so that only the UIU_COMP authorization object remains active. Disable any other visible authorization objects. These are the authorization objects that allow access to data. You can maintain these authorization objects in the PFCG role, which describes the user's workplace. In the PFCG role that describes the desktop, you can now delete the GENERIC_OP_LINKS folder. If you remix the PFCG role, you will find that many of the unnecessary permissions objects have disappeared.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
This allows you to quickly find and clean up incorrect and security-critical authorizations not only by selecting the maintenance status of the authorizations, but above all by storing certain authorization objects and controlling them.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
Double-click to go directly to the code site where the permission check is implemented.