Authorization Analysis
Query the Data from an HCM Personnel Root Record
In order to sustainably guarantee the security of the SAP system internally and externally, regular auditing is indispensable. Existing rule violations must be detected and corrected. In addition, it is important to document the regular operation of SAP in order to have evidence of this for external and internal requirements. Automated processes can save a lot of time and money.
In these cases, the total permissions from the RFC_SYSID, RFC_CLIENT, and RFC_USER fields will not be applied. However, you will always see a system message. These constraints cannot be changed by the settings of the customising switch ADD_S_RFCACL in the table PRGN_CUST.
Know why which user has which SAP authorization
If you want to set up a new client or take over the movement data of the productive system in a development system, you should also consider the modification documents. If you have a client copy, you should first delete the indexing of the change documents (table SUIM_CHG_IDX), since you can restore the indexing after the copy. To do this, use the SUIM_CTRL_CHG_IDX report without selecting a date and check the Reset Index box. After the copy has been made, delete the change documents that are dependent on the client; This also applies to the client-independent change documents (e.g., proposed permissions, table logs) if you have copied the client to a new system. In addition, you should remove the shadow database alterations before copying the client and complete the index build after the copy. In any case, check the Reset Index box in the SUIM_CTRL_CHG_IDX report!
When you select the row with the parameter transaction you created and click on the Suggest values button, the S_TABU_NAM authorization object is automatically created with the correct suggestion values, i.e. the table name in the transaction SU24. Check these suggestion values by clicking Yes in the S_TABU_NAM column. You will now end up in a view from the transaction SU24 and can check in the tables authorization objects and Permission Proposition Values (for all authorization objects) which changes to the object S_TABU_NAM have been made automatically. For more information and implementation guidance, use SAP Note 1500054. The SAP Note also provides the SUSR_TABLES_WITH_AUTH analysis report, which specifies table permissions for users or individual roles. This report checks at user or single-role level which tables have permissions based on the S_TABU_DIS or S_TABU_NAM authorization objects. The report does not check whether the user has the transaction startup permissions that are also necessary, such as S_TCODE. For example, if you check what table permissions a particular user has based on the S_TABU_DIS authorization object, you will receive information about the table names, the associated table permission group, and the eligible activities. Granting permissions to access tables directly is flexible and useful, and is not recommended unless the mechanism is hammered out by giving the user general table access through generic maintenance tools.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
Click here on the Evaluate Trace button and select System Trace (ST01) > Local.
Behind this RFC connection is a Trusted-RFC connection in the ERP system of the system landscape with the naming convention *_RFC.