WHY ACCESS CONTROL
Use usage data for role definition
The security of an SAP system is not only dependent on securing the production system. The development systems should also be considered, since here it is possible to influence the productive system via changes to be transported in the development environment and in customizing or via inadequately configured interfaces. Depending on the conceptual granularity of responsibilities in the development and customizing environment, more detailed authorization checks may need to be performed.
Only adding an authorization object via SU24 does not automatically result in a check within the transaction. The developer has to include an authorization check exactly for this object in the program code.
SAP authorizations: Recommendations for setting up, monitoring and controlling
A new transaction has been added to evaluate the system trace only for permission checks, which you can call STAUTHTRACE using the transaction and insert via the respective support package named in SAP Note 1603756. This is a short-term trace that can only be used as a permission trace on the current application server and clients. In the basic functions, it is identical to the system trace in transaction ST01; Unlike the system trace, however, only permission checks can be recorded and evaluated here. You can limit the recording to a specific user. You can also use the trace to search only for permission errors. The evaluation is similar to the evaluation of the system trace in the transaction ST01. In transaction STAUTHTRACE, however, you can also evaluate for specific authorization objects or for specific permission check return codes (i.e. after positive or negative permission checks). You can also filter multiple entries.
You may have special requirements that are necessarily to be included in the naming convention, such as when you define template roles in a template project that can be customised locally. You can identify this in the naming.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
You can do this for each intermediate release individually.
Therefore, it is not possible to add a list of more than 28 users, which can be very difficult for long lists.