Retain the values of the permission trace to the role menu
Customising User and Permissions Management
The S_RFCACL authorization object is removed from the SAP_ALL profile by inserting SAP Note 1416085. This notice is included in all newer support packages for the base component; This affects all systems down to base release 4.6C. The reason for this change is that the S_RFCACL authorization object, and especially the expression "total permission" (*), is classified as particularly critical for its fields RFC_SYSID, RFC_CLIENT and RFC_USER. These fields define from which systems and clients or for which user IDs applications should be allowed on the target system. Thus, the overall authorisation for these fields allows the login from any system and client or for any user and thus creates significant security risks.
Eligibility objects that were visible in the permission trace are quickly inserted in rolls. But are they really necessary? Are these possibly even critical permissions? A review of the Permissions Concept can reveal that critical permissions are in your end-user roles. We would like to give you some examples of critical permissions in this tip. It is helpful to know which authorization objects are covered by the critical permissions. They must also ask themselves whether the granting of these allowances entails risks.
Conclusion and outlook
System users are also intended for anonymous access. They are used in technical operations that require a user, such as batch runs or RFC connections. With them, therefore, no dialogue login is possible on the SAP system, but only the login via RFC call. Multiple logins are always possible for a system user, and the password modification rules (see also the explanation under "Service Users") do not apply. The password of a system user always has the status Productive and can only be changed by the user administrator.
In order to be able to use the following reports, you must not only have the appropriate authorizations, but also be aware that, depending on your SAP release or Notes, some reports are not yet or no longer available. The following reports were executed with release level 7.50.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
This report documents the current status of the Client and System Modification Settings in an overview, which you can also print out for evaluation if required.
The former checks whether authorization checks are present in the source code at all.