Assignment of critical authorizations and handling of critical users
System Security
If there are no buttons for copying and pasting in the PFCG transaction, you can simply insert them. Only seven lines are displayed in the dialogue box to maintain field values to properties in transaction PFCG. Up to now it was not possible to insert more than these seven lines at once from the clipboard. However, this may often be necessary in the context of the maintenance of permissions, for example if you want to use entries from other roles. Read how to copy and paste the buttons in the dialogue box to maintain field values to the authorization objects.
Even the best authorization tools cannot compensate for structural and strategic imbalances. Even a lack of know-how about SAP authorizations cannot be compensated for cost-effectively by means of tools.
Conclusion and outlook
Do this once in your system. For example, you can jump from the MM50 transaction to the MM01 transaction without explicitly assigning transaction startup permission to the MM01 transaction through the S_TCODE authorization object. You can see this call in your System Trace for Permissions in the Additional Information column for testing. There you can see that the CALL TRANSACTION call has disabled the permission check. The user is allowed to jump into the transaction MM01, although in the role assigned to him Z_MATERIALSTAMMDATEN only permissions for the transactions MM03 and MM50 are recorded.
Your system landscape does not correspond to a typical three-system landscape? Find out what you should consider when upgrading the suggested values of roles. Your system landscape may differ from the typical three-system landscapes, for example, because you have several development systems or development mandates. Transports are then used to merge all developments and customising entries into one consolidation system. Perform your upgrade work in the SU25 transaction and use Step 3 to transport your SU24 data. By contrast, perform this step in all development systems, run all transports together in your consolidation system, and only the last import of the tables is used. The same entries are also recognised as deleted entries. The same is true with your PFCG rolls. Maintain these in multiple development systems or mandates, and if you now want to transport the rolls with their generated profiles, there is a risk that the profile numbers will be the same, as the profile names consist of the first and third characters of the system ID and a six-digit number. If the profiles originate from the same system (even if the client is a different one), import errors may occur due to the same profile names. In addition, the origin of the profile can no longer be traced afterwards. Therefore, you need a way to transport the data for the permission proposal values and the PFCG rolls in Y landscapes in a transparent and consistent way.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
On www.sap-corner.de you will also find useful information about SAP basis.
Users with such IDs will write all change documents, but the IDs can still cause confusion if, for example, they are not recognisable as a user ID or if it appears that no user is displayed for the change document.
The freeware Scribble Papers is a "note box" in which all kinds of data can be stored. It takes in typed texts as well as graphics and entire documents. The data is then organised in folders and pages.
In addition to the individual checks for individual developers, the tool also offers mass checks, for example to check an entire application for vulnerabilities in one step.