User name with restrictions - how?
Feedback from consultants who are experts in the technology;
After installing the GUI, the GUI patches should be applied as far as available. This includes the hotfixes after the patches, which are necessarily installed after the patches. BI Addon Patch A new service package and patch may need to be installed. It may also be that can be patched directly if another SP exists. The process takes about 30 minutes. The progress of the installation pauses at a certain percentage, as already mentioned above, so you do not have to cancel the installation prematurely. If the installation is not possible, the latest version will be included in another setup. Installation of the Precalculation Server The Precalculation Server is installed. You can also install any patches here. Service The installations create a service. This can be called under Services. Set the Startup Type of the service to "Automatic" (Standard Manual) Enter Login Credentials Recovery for First and Second Failure to "Restart the Service" Start Service Logon SAP Login to the SAP system with the appropriate client from the Precalculation Server. You can use the SAP system's own login. Warning: There must be permissions for the transaction RSPRECALCADMIN and SM51. The transaction SM51 will then be called. Before creating the instances, it must be ensured that the correct application server is selected, otherwise problems with the instances in the user's application may occur later. The transaction RSPRECALCADMIN is then called. A certain number of instances are displayed. They should all be marked and deleted until the view is empty again. They are then re-created with a continuous numbering in order to distinguish them later. Only the ID and description must be entered. The rest will be awarded automatically. The service will now restart and all instances should be green. This may take 2-3 minutes. Important: In the end, all instances must be green. This completes the creation and configuration.
The security of an SAP system requires protection against unauthorised access, e.g. through the secinfo and reginfo files. A cleanly implemented authorisation concept protects against attacks within the SAP system. However, it is also possible to attack your SAP system via the network. Through the RFC Gateway Server, your system communicates with external servers and programmes. One particularly effective way to protect against this are so-called Access Control Lists (ACL). Find out what this is and how you can use it to better protect your SAP system. The SAP Standard offers different approaches for gate protection. All methods combined can provide even greater safety. For example, it is possible to use Access Control Lists (ACL) to monitor exactly which external programmes and which hosts can communicate with the gateway. Another option is to configure the gateway to support Secure Network Communication (SNC). Finally, there are various security parameters for the gateway. This article focuses on the use of ACL files such as secinfo and reginfo files. What is an ACL? Access control lists are files in which permitted or prohibited communication partners can be recorded. For the gateway to use these ACL files, parameters must be set in the default profile of the SAP system and of course the files must be maintained accordingly. With the help of logs and traces, which can be configured for this purpose, a precise investigation can be made in advance of the activation, which connections currently run via the gateway. This allows them to prevent important applications with which your system communicates from being blocked by the ACL files. The rules in the ACL files are read from top to bottom of the gateway to decide whether to allow a communication request. If none of the rules matches the requesting programme, it will be blocked. Network-based ACL The network-based ACL file contains permitted and prohibited subnets or specific clients.
Planning / Implementation
In the SAP Business Objects environment, you can extend the control of permissions using the CMC tab configuration. The tab configuration allows you to easily show or hide specific tabs for users or groups. Enable CMC Tab Configuration By default, the CMC Tab Configuration feature is set to "Don't Limit" and is disabled. For you to be able to use the tab configuration at all, you will need to enable it for now. Note: If you enable the tab configuration, all users that are not under the default Administrators group will not see tabs for the time being. This is because access is denied by default through the CMC tab configuration. Therefore, once enabled, you must maintain tabs for all existing groups. Therefore, make sure you have an account associated with the Administrators Group! To do this, go to Applications, right-click Central Management Console, and select Configure Access to the CMC tab: The CMC can be found under Applications. Now enable the configuration by selecting the Restrict option. Use Restrictions to enable the option. Hide/show tabs If you are now logging in with a user that is not in the default Administrators group, you will not see applications/tabs on the CMC home page. Initially no applications/tabs are visible To display the desired tabs for the groups again, switch to users and groups with your administrator account, right-click on the desired group, and select CMC tab configuration. Enter the tab configuration. In the dialogue that appears, you see that all tabs are denied access by default.
In order for the stored business logic of an application to be executed correctly, the executing user must also have the necessary permission objects in the flow logic of the OData services in his role. If Authority Checks are performed here, e.g. to query or change data on the backend server, the corresponding role must be authorised. These permissions are expressed in a role by permission objects, as in any ABAP report. If you follow these steps, your Launchpad users should have the Fiori permissions necessary to launch the launchpad, view all relevant tiles, and run the specific apps with their business logic.
"Shortcut for SAP Systems" makes many tasks in the area of the SAP basis much easier.
Understanding the structure and functioning of the system is especially important for IT administration. It is not for nothing that "SAP Basis Administrator" is a separate professional field. On the page www.sap-corner.de you will find useful information on this topic.
SAP Basis is responsible for the smooth operation of the SAP Basis system.
If the additional memory in the Advanced Storage Area is still not sufficient for the user context, the optional second role area can be used.