BASICS FOR USING SAP REPORTS
Custom requirements
As a role developer, you can now select the specific application in the PFCG transaction from the list of web dynpro applications published by the software developers on the Menu tab and enter it in the Role menu. To generate the role profile, switch to the Permissions tab. There you can check the concrete value expressions of the S_START permission fields and, if necessary, the additional relevant authorization objects for this Web application and supplement them if necessary. Finally, you must generate the role profile as usual.
Users' favourite lists provide valuable information about the transactions they use. With the knowledge of the favourites, you can therefore avoid gaps in your authorisation concept. In the SAP system, each user has the ability to save frequently used functions as their own favourites. In practice, we have found that this feature is very often used by users. If you create a new permission concept, it is useful to include the favourites in the viewing. Because the favourites don't just store used transactions over and over again, but also transactions that users use only occasionally. These occasional transactions could be quickly forgotten when redesigning a eligibility concept. Therefore, we always recommend that you match the transactions you have considered with the favourites stored in your system.
Take advantage of roll transport feature improvements
Furthermore, the statistical data of other users (user activities, such as executed reports and transactions) should be classified as sensitive, since it may be possible to draw conclusions about work behavior using this data. This data can be displayed using transaction ST03N, for example. Access authorizations to the two types of data mentioned above should be assigned only very restrictively.
Incorrect use of the user types and password rules can result in the shutdown of the RFC interfaces. Find out what types of users you can use and how the password rules affect these types of users. In the SAP system, you can choose between different user types when creating users. These user types control the login behaviour and also the impact of password rules on the user. This can lead to undesirable behaviour, especially if the parameter for the validity of the initial password is set. It is often not known that the password rules also apply to users of the communication type. Communication users usually use an initial password because a dialogue is not possible and the password is not changed. If parameters for the validity of the initial password are now also introduced, these also apply to communication users. We will show you how to prevent such problems and give you an overview of the types of users and the impact of the password rules.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
Depending on the permissions granted, certain items or documents should be excluded from display.
In the permission environment, you can work with reference roles and role derivations in such cases.