SAP Authorizations Using eCATT to maintain roles - SAP Stuff

Direkt zum Seiteninhalt
Using eCATT to maintain roles
Check and refresh the permission buffer
You have read that it is possible to perform mass activities, such as mass roll-offs, using standard means. This is all too complicated for you, and you are still looking for simple solutions for role maintenance? I'm sure you'll have a look at tools from SAP partners that promise to help. In this context, we would like to give you some more information in this tip. There is a very practical occasion: We have too often found a "broken" authorisation system with SAP customers, caused by the incorrect application of additional programmes. Sometimes, the role content was misaligned and the suggestion values were not neatly maintained, so at some point the permission administrators couldn't figure out what to do. Therefore, you should check very well whether the tool you are considering is actually suitable for your purposes.

Please note that depending on the results of the RSUSR003 report, a system log message of type E03 is generated. If a critical feature (stored in red) is detected, the message text"Programme RSUSR003 reports ›Security violations‹"is written into the system log. If no critical feature has been detected, the message"Programme RSUSR003 reports ›Security check passed‹"will be displayed instead. This message is sent because the password status information of the default users is highly security relevant and you should be able to track the accesses. You can grant the User and System Administration change permissions for the RSUSR003 report, or you can grant only one execution permission with the S_USER_ADM authorization object and the value CHKSTDPWD in the S_ADM_AREA field. This permission does not include user management change permissions and can therefore also be assigned to auditors.
Starting Web Dynpro ABAP applications
You can disable this new behaviour for the SAP_ALL profile by setting the customising switch ADD_S_RFCACL to the value YES in the table PRGN_CUST. If the ADD_S_RFCACL entry is YES, SAP_ALL still contains the total permissions for the S_RFCACL authorization object.

In these cases, the total permissions from the RFC_SYSID, RFC_CLIENT, and RFC_USER fields will not be applied. However, you will always see a system message. These constraints cannot be changed by the settings of the customising switch ADD_S_RFCACL in the table PRGN_CUST.

Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.

In the TEXT field, if required, you will find the description of the favourite entry.

If you want to know more about SAP authorizations, visit the website

In spite of automated evaluations, external auditors often also demand an activation of the Audit Information System (AIS).
SAP Stuff
Zurück zum Seiteninhalt