Use AGS Security Services
Prevent excessive permissions on HR reporting
If you no longer need old audit results, you can archive or delete them with the transaction SAIS via the button (Administration of the Audit Environment). The audit results shall be selected on the basis of the audit structures, the test numbers or the entry date (see figure next page).
If you manage your SAP system landscape via the Central User Administration (ZBV), you must insert SAP Note 1663177 into both the ZBV system and all attached subsidiary systems. In this case, also note that the default user group will be assigned in the daughter systems if no user group has been distributed during the user's installation from the ZBV. In addition, you will receive an error message in the SCUL transaction stating that a user group must be assigned to the user (via the ZBV headquarters). This behaviour is independent of the settings of the distribution parameters for the user group in the SCUM transaction. If you have set the distribution parameters for the user group to Global or Redistribution, the appropriate subsidiary system will reject the changes made to users that do not have a user group in the Central System, and you will receive an error message in the SCUL transaction.
Object S_BTCH_ADM (batch administration authorization)
A new transaction has been added to evaluate the system trace only for permission checks, which you can call STAUTHTRACE using the transaction and insert via the respective support package named in SAP Note 1603756. This is a short-term trace that can only be used as a permission trace on the current application server and clients. In the basic functions, it is identical to the system trace in transaction ST01; Unlike the system trace, however, only permission checks can be recorded and evaluated here. You can limit the recording to a specific user. You can also use the trace to search only for permission errors. The evaluation is similar to the evaluation of the system trace in the transaction ST01. In transaction STAUTHTRACE, however, you can also evaluate for specific authorization objects or for specific permission check return codes (i.e. after positive or negative permission checks). You can also filter multiple entries.
After successful implementation of your permission check, the new authorization object for your application must be maintained in transaction SU24. If your solution is distributed in other system landscapes, the authorisation proposals in the transaction SU22 are maintained. In addition, with the permission proposal value maintenance, you can make sure that the new authorization object is not forgotten in a role system, because it is now loaded automatically into the PFCG role when the application is called up via the role menu. In the final step, the permission administrator can create the PFCG role or must remix the existing PFCG roles.
Authorizations can also be assigned via "Shortcut for SAP systems".
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
Likewise, in addition to a statutory publication of the balance sheet and P&L (profit and loss) statement, internal evaluations can also be created.
After transport to the target system, this role is activated as a runtime object.