Managed Services
Optimization of SAP licenses by analyzing the activities of your SAP users
You would like to revise your authorisation concept and tailor SAP roles only to the productive processes. We show you how to use the statistical usage data from the Workload Monitor for the SAP role definition. One of the biggest effort drivers in redesigning SAP role concepts is the definition of transactional expression of SAP roles. By using the statistical usage data from the workload monitor, you can avoid costly coordination with process managers in the sense of a Green Field Approach. In this way, you can tailor your SAP role concepts to the content of the usage behaviour. The only requirement is that the data be available for a representative period. This is two months in the SAP standard; You can also extend this time period. Below we describe how you can use the statistical usage data from the Workload Monitor for the SAP role definition.
When programming your permission check, always check the SY-SUBRC return code and define what should happen in the event of a non-successful permission check, i.e. if SY-SUBRC is not equal to 0. In most cases, an error message occurs and the programme is cancelled.
Create order through role-based permissions
When assigning a new user group to a user, only the creation permission in the new user group is required. Alternatively, you can enable the check for activity 50 (Move) of the S_USER_GRP authorization object. In the USR_CUST table, set CHECK_MOVE_4_CNG_GRP to YES.
In principle, the SAP_NEW permission should not be granted in the production system. The Profiles tab displays the generated profiles in the user master record that are associated with a specific user. Here you can also assign manually created permission profiles from the transaction SU02 - even without direct role mapping. In principle, the recommendation is to use the profile generator (transaction PFCG) to generate authorisation profiles automatically. Special caution is taken when you enter generated permission profiles directly on the Profiles tab, as these assignments will be deleted by matching user assignments with the transaction PFUD if no entry is on the Roles tab for the assignment. You have probably assigned SAP_ALL and SAP_NEW to users for whom there should be no restrictions in the SAP system. But what are these two profiles different from each other and why are they necessary?
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
Set an abbreviation or character that identifies master, single, additional, value roles, collection roles, or derived roles.
The data that is regulated by the structural authorizations must be hierarchically structured in one of the personnel development components.