Using suggestion values and how to upgrade
Evaluation of the authorization check SU53
Locking and validity of the user account is done through the user administrator and is also valid for other authentication procedures. This means that a login via SSO is not possible for an invalid user or a user with administrator lock. We therefore always recommend that you prevent access to the system by setting the validity of users. Setting validity on assigned roles also prevents the user from performing actions in the system, but does not generally prevent them from logging in.
The basic idea of the approach described below is to evaluate the previous usage behaviour (reverse engineering) for the definition of the required permissions. In the first step, you configure the retention time of usage data, because each SAP system logs the calls to bootable applications. This way, not only the user, at what time, what transaction, but also the user, which function block was called. These data are then condensed into daily, weekly and monthly aggregates and stored for a specified period. This statistical usage data is originally intended for performance analysis; You can also use them to determine the permissions you need. We described the configuration of the retention time of the statistical usage data in Tip 26, "Use usage data for role definition". Please also refer to our explanations on the involvement of your organisation's co-determination body in the storage and use of the statistical usage data. In addition to the settings described in Tip 26, you should also adjust the retention time for the RFC Client Profile (WO), RFC Client Destination Profile (WP), RFC Server Profile (WQ), and RFC Server Destination Profile (WR) task types using the SWNCCOLLPARREO Care View.
Note the effect of user types on password rules
Once a permission concept has been created, the implementation in the system begins. On the market, there are solutions that create PFCG rolls based on Microsoft Excel in the blink of an eye. You should, however, take a few things into account. Have you defined your roles in the form of role matrices and your organisational levels (orgés) in the form of organisational sets (orgsets)? All of this is stored in Excel documents and now you want a way to simply pour this information into PFCG rolls at the push of a button, without having to create lengthy role menus or then derive large amounts of roles, depending on how many organisational sets you have defined?
You can use the system trace function (transaction ST01) to record the authorization checks in all modes, if the trace and the transaction to be traced run on the same application server. All object fields and their values are recorded during the authorization object check.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
If you want to get more information about SAP basis, visit the website www.sap-corner.de.
An SAP authorization concept is used to map relevant legal standards and internal company regulations to the technical protection options within an SAP system.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
On the other hand, you can implement medium (3) and low (4) security advisories via support packages, which you should also include regularly.