Permissions checks
Set up permissions to access specific CO-PA measures
From the result of the statistical usage data, you can see which transactions (ENTRY_ID) were used, how often (COUNTER), and how many different users. There are various indications from this information. For example, transactions that were used only once by a user within 12 months could indicate a very privileged user, or inadvertently invoking a transaction for which a user has permissions. The future assignment of such transactions in the SAP role concept should then be critically questioned. In contrast, you should consider transactions with a high level of usage and a large user circle (e.g. with more than ten users) in an SAP role concept.
When copying the values to the Clipboard, note that only those values that you have previously marked will be copied to the Clipboard. The value intervals that can be maintained in the permission field values are separated by a tab stop, which is stored on the Clipboard.
Assignment of critical authorizations and handling of critical users
The S_START boot authorisation check is delivered inactively by SAP. If this test is activated in an AS-ABAP installation (see also SAP Note 1413011), this will affect all clients. Therefore, before you activate, it must be ensured that all affected users in the permission profiles associated with them have the necessary values in the S_START permission fields.
When it comes to preparing for the auditor, it should definitely be checked whether all critical authorizations, as well as the important parameters, have been correctly assigned or set up in SAP®. The specifications for this should all be defined in the authorization concept documented in writing and must also be consistent with this. In this context in particular, however, it is not always easy to check all the essential points using the SAP® standard on-board tools. This is where the experienced auditors at IBS Schreiber GmbH can provide support.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
Before creating PFCG roles, it is useful to maintain the suggested values for the transactions used.
This problem, which I am sure you are familiar with, does not exactly promote employee satisfaction and productivity.