Use timestamp in transaction SU25
Translating texts into permission roles
You can use the function block level permission check by setting the FUNC value in the RFC_TYPE field in the S_RFC authorization object. If you still want to allow function groups, specify the value FUGR here. Depending on the RFC_TYPE field, type the name of the function block or group in the RFC_NAME field (name of the RFC object to be protected). This extension of the test is provided by the correction in SAP Note 931251.
You should archive all document types at the same time intervals; This is especially true for the US_USER and US_PASS archive objects. It is customary to keep the supporting documents between 12 and 18 months, as this corresponds to the retention periods for the revision. For performance reasons, if you want to archive in shorter intervals, you should always archive all archive objects at the same time and store the PFCG and IDENTITY archive object classes in separate archives. In this case, it may be useful to download the archived revision documents back to a shadow database to make them available for faster review. You can use the following reports: RSUSR_LOAD_FROM_ARCH_PROF_AUTH / RSUSR_LOAD_FROM_ARCHIVE. You can also archive the table change logs with the BC_DBLOGS archive object.
Assignment of critical authorizations and handling of critical users
After creating a authorization object, you should do the following: Make the permission check implementation at a convenient location in your code. Maintain the proposed values for the application in the transaction SU24. Re-load the role in the PFCG transaction if the application has already been rolled. If it is a new application, adjust the roles by including the new application in the Role menu, and then maintaining the permissions of the authorization objects loaded into the role by the suggestion values.
Suggested values are maintained in the transaction SU24 and delivered through the transaction SU22. Read more about the differences between these two transactions. Maintaining suggestion values via the SU24 transaction is useful if you want to reflect your own requirements or if the values provided by SAP do not meet customer requirements (see Tip 37, "Making sense in maintaining suggestion values"). These proposed values form the basis for the role maintenance credentials in the PFCG transaction. As you know, the suggested values provided by SAP are in the transaction SU22, which are delivered during reinstallation or upgrades as well as in support packages or SAP hints. What is the difference between transactions and how are they used correctly?
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
For a complete list of all security advisories for all SAP solutions (SAP NetWeaver Application Server ABAP and Java, TREX, SAP HANA, Sybase, SAP GUI, etc.), see Security Notes Search on this page.
If you want to use the System Trace for permissions in a system with multiple application servers, you should note that the Trace can only log and evaluate data per application server at any time.