Best Practices Benefit from PFCG Roles Naming Conventions
Set up permission to access Web Dynpro applications using S_START
The test for the assignment of the SAP_ALL profile is carried out in the SOS differently than in the EWA: If a user is found, assigned to SAP_ALL, and you have not entered it in the corresponding whitelist, it will still be hidden in the subsequent permission checks. Identified users will be output either through a complete list or through examples of specific users. In both cases, you can download the full list in the SAP Solution Manager's ST14 transaction. You can use the Check ID to map user lists to the permission checks. However, you should note that these lists do not contain the evaluations of the whitelists.
An overview of the actual relevant information for your system landscape can be obtained from the application System recommendations in the Change Management section of the SAP Solution Manager (transaction SOLMAN_WORKCENTER or SM_WORKCENTER). This application will provide you with a recommendation for the SAP and non-SAP hints to be implemented for the evaluated systems.
Archive change document management for user and permission management
In SAP systems, authorization structures grow over the years. If, for example, there is a restructuring in the company or there are new organizations, there is a risk that the authorization concept no longer fits or is implemented correctly.
Finally, you must evaluate and implement the results of the preparatory work. The overview allows you to determine which user needs which function groups or function blocks and to set up the permission roles accordingly. You can exclude calls to Destination NONE from your evaluation because these calls are always internal calls to RFC function blocks. In this context, we recommend that you check the mappings for critical function blocks or functional groups.
Authorizations can also be assigned via "Shortcut for SAP systems".
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
For example, transactions that were used only once by a user within 12 months could indicate a very privileged user, or inadvertently invoking a transaction for which a user has permissions.
Please also refer to the SPA 1539556.