Customizing
In the transaction, select SU10 by login data of users
Finally, we want to give you some recommendations for securing file access. The SPTH table allows you to protect the file system from ABAP programme accesses without granting permissions and to deliberately define exceptions. The problem is identifying the necessary exceptions. However, because the SPTH check is always performed together with the S_DATASET object check, you can use a long-running permission trace to find the paths that are used with filters for the S_DATASET authorization object. The procedure for this is described in detail in our Tip 39, "Maintain suggestion values by using trace evaluations". If you are using applications that access files in the DIR_HOME directory without a path, such as the ST11 transaction, you must specify access to the allowed file groups individually (e.g. dev_, gw_), because there is no wild card for DIR_HOME.
The other fields in the SMEN_BUFFC table describe the structure of the favourites, where the OBJECT_ID field is the unique key of the favourite entry. In the PARENT_ID field, you will find the parent item's object ID, and the MENU_LEVEL field describes the level of the entry in the favourite folder structure. You can read the order in which the favourite entries are sorted from the SORT_ORDER field.
Query Data from Active Directory
Different organisational fields are used in each module. Since there are many interfaces between the modules, the main organisational fields of the modules must be linked. However, there are also organisational fields that are only relevant for the respective module. All object fields used as organisational units are listed in the USORG table. You can call this table through the SE16 transaction. Alternatively, in the selection screen of the AGR_1252 table, the value help of the VARBL field also shows the corresponding name for the respective organisation fields.
You will also notice that many tables have the table permission group &NC& assigned to them, and therefore differentiation over table permission groups over the S_TABU_DIS authorization object would not work at all. Furthermore, you cannot assign permissions to only individual tables in a table permission group using S_TABU_DIS. In such cases, the investigation shall continue: If the permission check on the S_TABU_DIS authorization object fails, the S_TABU_NAM authorization object is checked next. Allows you to explicitly grant access to tables by using the table name.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
Whenever you want programmes to run periodically at specific times without user interaction, or when their runtime should not interfere with normal dialogue operations, schedule them as batch jobs in the background.
The result list shows all the authorised tables, their permissions, and their permission values.