Compare Role Upgrade Permissions Values
Query Data from Active Directory
By correcting SAP Note 1692243, you can now also use the report in a ZBV (Central User Management) environment; It is no longer limited to individual clients. If the role assignment of the ZBV in the SCUM transaction is set to global, it is sufficient if the correction is recorded in the central client. Then it is only possible to execute the report in the central client. Furthermore, you have the option to select the ZBV's subsidiary systems from the Receive System drop-down box in such a way that only the systems in which the role assignment is to be consolidated or deleted are taken into account. In the results list of the consolidated role assignment, you will now be listed in the ZBV-System column the subsidiary systems where consolidation or deletion took place.
In addition to defining permissions for external RFC access through the S_RFC authorization object, it is possible to prevent external calls to function blocks. From SAP Net-Weaver AS ABAP 7.40 there is the additional SAP Unified Connectivity (UCON) layer. It controls external access to RFC function blocks independently of users or roles and can be configured to suit your needs. All function modules that are to be executable via RFC are entered into the UCON Communication Assembly. If a function block is not stored there, the call will be blocked. UCON has been designed to minimise impact on RFC call performance. The necessary function blocks are identified in the UCON Phase Tool (transaction UCONPHTL), which constantly monitors all external RFC calls and supports an introduction of the UCON Communication Assembly. This allows calls to new function blocks (such as custom developments, support package changes) to be analysed and, if necessary, released for external access. In addition, UCON offers the possibility to review the configuration in an evaluation phase. There are approximately 40,000 RFC-enabled function blocks in an ERP system; Usually no more than a few hundred of them are used. With the use of UCON you therefore increase the security of your system.
Retain the values of the permission trace to the role menu
Two other very important settings are the activation of the security audit log and the table logging. Both parameters must be activated in order to ensure traceability at the user level as well as at the table level. It should therefore be checked whether the detailed settings for the security audit log are set up in accordance with the company's specifications and, in any case, whether all users with comprehensive authorizations, such as SAP_ALL, are fully covered by the logging without exception.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
If you want to know more about SAP authorizations, visit the website "www.sap-corner.de".
There are few examples, such as the role manager of the industry solution SAP for Defence and Security, in which the result of a value role concept is still useful and appropriate for the user.