The SAP authorization concept
Custom Permissions
You should not grant large permissions for the SCC4 and SE06 transactions to internal and external auditors, just so that they can see the system modifiability. We present the report, which only requires the permissions a auditor usually has to view the system modifiability. There are several people who want to view the system modifiability settings in your system for specific reasons. These can be internal auditors, auditors or developers. The display of these settings, e.g. via the SCC4 or SE06 transactions, is not in itself critical; However, this has previously required permissions that are not usually assigned to the group of people just described. Since SAP NetWeaver 7.0, there is also a report that shows the system modifiability settings. This report requires only viewing permissions that can be assigned to the above-described group without any concerns. We present the application of this report and the required permissions here.
Check to see if there are any corrective recommendations to follow for your release. We recommend that you run the SU24_AUTO_REPAIR correction report before executing the transaction SU25 (see tip 38, "Use the SU22 and SU24 transactions correctly"). If necessary, run this report in the old lease, but in any case before importing the new proposal values. Use the test mode of the report to look at possible corrections in advance. In addition, to ensure that you do not lose information with your upgrade work, you can write and release the data from the SU24 transaction on step 3 (customer table transport) in the SU25 transaction to a transport order. This way, a backup of your SU24 data is made. Now the upgrade work can begin. Warning: Do not perform step 1 (customer tables were initially filled), because this overwrites the USOBT_C and USOBX_C customer tables, i.e. the SU24 data, completely with the SAP suggestion values. However, you want to keep your SU24 data and add to the proposed changes for the new release!
RSRFCCHK
For performance reasons, the SAP kernel checks whether a user is authorised in the permission buffer. However, only profiles and no roles are loaded into the permission buffer. Calling the SU56 transaction will cause you to parse the permission buffer, first displaying your own user's permission buffer. A pop-up window to change the user or authorization object will appear from the Other User/Permissions Object (F5) menu path. Here you can select the user you want to analyse in the corresponding field. The Permissions > Reset User Buffer path allows you to reload the permission buffer for the displayed user.
The first line defines that access to all files is forbidden unless other settings have been made for them in the other lines. The asterisk (*) is in the first place here and in this case for all files and paths. If the asterisk is in a different position, it is interpreted as part of the file name, which is not allowed in Microsoft Windows, for example. In our example table, setting the switches FS_NOREAD = X and FS_NOWRITE = X for all paths prohibits reading and writing. This makes the table a white list. This is preferable to a black list for security reasons. SPTH, on the other hand, becomes a Black List if you remove the first line with PATH = * in our example or if you do not set any of the switches FS_NOREAD, FS_NOWRITE or FS_BRGRU. The second line with PATH = /tmp allows read and write access for all files starting with /tmp, similar to a permission value /tmp*, as an exception to the access ban defined in the first line for all files and paths. This setting is not limited to subdirectories, but includes, for example, all files whose name starts with /tmp-xy. The third line with PATH = /tmp/myfiles defines a permission group with FS_BRGRU = FILE, triggering the subsequent permission check on the S_PATH object. The SAVEFLAG = X switch defines that these files will be included in a backup procedure; however, this is not relevant for the permission award.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
If you want to get more information about SAP basis, visit the website www.sap-corner.de.
If a release change occurs, the adjustment of permissions is also required as a rework.
So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.
We need a test configuration for this.