Customise SAP_ALL Profile Contents
How to analyze roles and authorizations in the SAP system
Role selection for mass transport uses the default value help, which offers the Multiple Selection button. Thus, you no longer have to go through the Value Helper (F4) to perform multiple selection of roles, and the restriction of selected roles to the visible rows is eliminated.
If the security advice change affects normal programme flow, you should schedule application tests. If only exceptional treatments are adjusted, you can omit or severely limit the test.
Authorization concepts in SAP systems
Put the values of the permission trace into the role menu: The applications (transactions, web-dynpro applications, RFCBausteine or web services) are detected through their startup permissions checks (S_TCODE, S_START, S_RFC, S_SERVICE) and can be added to the role menu of your role. In your role, go to the Menu tab and import these applications by clicking Apply Menus and selecting Import from Trace. A new window will open. Here you can evaluate the trace and view all recognised applications in the right window. To do this, click the Evaluate Trace button and select System Trace (ST01) > Local. In a new System Trace window, you can specify the evaluation criteria for the trace, such as the user using the Trace field only for users or the time period over which to record. Then click Evaluate. Then, in the right part of the window, you will see all the applications logged. Select the applications you want to apply to the Roles menu and click Apply. You can now decide how the applications appear in the Role menu. The application can be added to the role either as a permission proposal or as a menu item through the Add drop-down box. They can be displayed as a list or as a panel menu (insert as list) or according to the SAP menu tree in which the application is stored in the SAP menu (insert as SAP menu).
We can now execute the test script en masse with any input. We need a test configuration for this. In the example Z_ROLLOUT_STAMMDATEN, enter a corresponding name and click the Create Object button. On the Attribute tab, specify a general description and component. On the Configuration tab, select the test script you created earlier in the corresponding field. Then click the Variants tab. The variants are the input in our script. Since we do not know the format in which eCATT needs the input values, it is helpful to download it first. To do so, select External Variants/Path and click Download Variants.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
If you are using applications that access files in the DIR_HOME directory without a path, such as the ST11 transaction, you must specify access to the allowed file groups individually (e.g. dev_, gw_), because there is no wild card for DIR_HOME.
Avoid this by basically enabling table logging and then setting logging for specific additional tables.