Compare Role Upgrade Permissions Values
Starting Web Dynpro ABAP applications
Finally, we want to give you some recommendations for securing file access. The SPTH table allows you to protect the file system from ABAP programme accesses without granting permissions and to deliberately define exceptions. The problem is identifying the necessary exceptions. However, because the SPTH check is always performed together with the S_DATASET object check, you can use a long-running permission trace to find the paths that are used with filters for the S_DATASET authorization object. The procedure for this is described in detail in our Tip 39, "Maintain suggestion values by using trace evaluations". If you are using applications that access files in the DIR_HOME directory without a path, such as the ST11 transaction, you must specify access to the allowed file groups individually (e.g. dev_, gw_), because there is no wild card for DIR_HOME.
The function block was obviously not intended for this use, but our procedure does not affect the programme process and we are not aware of any limitations resulting from this use. You can also apply this procedure to other BTEs that pass data in a similar form. However, you should always exercise caution and check whether the application has already created sum records or whether there are other dependencies. Finally, you will need to create a product you have developed (you can define the name yourself) in the FIBF transaction and assign it to Business Transaction Event 1650 along with the customer's own function block, as shown in the following figure. A custom product may include several enhancements. It forms a logical bracket around the extensions and thus provides a better overview. In addition, it allows for a targeted activation or deactivation of the implementations.
Service User
The general SAP authorizations are used most often and for many things they are sufficient. For example, if only the HR department has access to the SAP HCM system. However, if other users come onto the system and you only want to allow them access to a limited number of personnel, then in the case of the general authorizations you have to deal with the organization key of infotype 1 (VSDK1), which must be hard-coded into the authorization roles. If ESS/MSS or Manager Desktop etc. now come into play, however, this means a large number of authorization roles, namely a separate one for each manager. This makes maintenance and servicing very time-consuming and your authorization concept becomes opaque, which in turn brings the much-quoted auditor onto the scene.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
You can also find some useful tips from practice on the subject of SAP authorizations on the page "www.sap-corner.de".
After activation, advanced security checks are available in the usual development environment within the ABAP Test Cockpit.