Permissions with Maintenance Status Changed or Manual
Maintain generated profile names in complex system landscapes
Make sure that reference users are assigned minimal permissions to avoid overreaching dialogue user permissions. There should be no reference users with permissions that are similar to the SAP_ALL profile.
S_PROJECT authorization object: The S_PROJECT authorization object enables you to work with customising projects. You can modify, view or delete projects, maintain status information, project documentation, and perform project evaluations.
Compensating measures for segregation of duties conflicts
Since SAP NetWeaver 7.02, such a feature is available, which means that you can access the data from the system trace to maintain PFCG roles. In the following we show you how you can apply the permission values from the permission trace to your role. To do this, you must first record applications against their permission checks and then add them to your role menu.
Finally, the check logic provides for a row-level check within a table if you want to restrict access to the table contents depending on an organisational mapping. For example, if you want a user to view only the data from a table that affects the country where their work location is located, you must configure it accordingly. To do this, you define and activate organisation-relevant fields as an organisational criterion (see Tip 62, "Organisationally restrict table editing permissions"). To keep track of which users can access which tables, run the SUSR_TABLES_WITH_AUTH report. This report provides information about which user or single role has the S_TABU_DIS or S_TABU_NAM authorization objects. The result list shows all the authorised tables, their permissions, and their permission values.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
For sure: If a consulting company does not implement a process first and the "framework" is missing as a result, the existing SAP authorizations must be analyzed retrospectively and the underlying concept must be understood.
We explain the differences between locking passwords, locking and validity of user accounts, and validity of assigned permissions in the following.