Schedule PFUD transaction on a regular basis
Implementing Permissions Concept Requirements
The SAP authorization concept protects transactions, programs, services and information in SAP systems against unauthorized access. Based on the authorization concept, the administrator assigns users the authorizations that determine the actions this user can perform in the SAP system after logging on and being authenticated.
If you have created your own applications, we recommend that you always implement your own permission check and do not just rely on application startup permissions such as S_TCODE, S_START, S_SERVICE, and S_RFC. If you want to add your own checks to standard applications, you must first find the appropriate place to implement the check. To develop without modification, SAP offers user-exits or business add-ins (BAdIs) for such cases. Some SAP applications also have their own frameworks in place that allow customisation-free implementation of their own permission checks, such as the Access Control Engine (ACE) in SAP CRM.
Assignment of roles
SAP*: The SAP* user is part of the SAP kernel, and since it is hard-coded in the SAP system, it does not require a user master set. If there is no user master set for SAP*, anyone can log on to the SAP system after rebooting with this user, as the default password will then apply. The user thus has access to all functions, since Authority Checks in this case do not take effect. You can prevent this behaviour by setting the login/no_automatic_user_sapstar profile parameter to 1. If you want to copy clients, you have to set this parameter to 0 again before you do so, because the user SAP* is required for this. Safeguard measures: Despite the parameter setting, the SAP user should have a user master set in all clients. However, you should remove all profiles and lock the user. In addition, change the password, assign the user to the SUPER user group, and log it with the Security Audit Log.
Software license management is essential to get an accurate overview of all SAP transactions. We provide you with a transaction database in which the transactions are evaluated with named user license types. Your advantage: the actual usage of your SAP users is matched with the transaction database. "SAP direct access" analyzes the licenses for actual usage and classifies the critical cases. With SAP license optimization we maintain your individual license contracts and compare the results with LAW. We can point out discrepancies, including drill-down to user/client level, directly.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
After confirming your entries, you confirm the Permissions field maintenance in the Permissions proposal maintenance by clicking on the green checkmark, so that the status of the Permissions object is green (maintained).
This helps to identify problems and incorrectly assigned authorizations at an early stage.