Controlling file access permissions
Maintain permission values using trace evaluations
There may be other objects associated with the site that you can also assign a PFCG role to. As in our organisation chart, you can assign three different PFCG rolls to the user. You can assign the PFCG roles to either the organisational unit, the post or the post. In this hierarchy, you assign the user as the person of the post. The user is assigned to the person as an attribute and therefore not visible in the organisational model. An HR structure could be mapped via this hierarchy. Since the PFCG roles are not directly assigned to the user but to the objects in the Organisation Management and the user is assigned to the PFCG roles only because of his association with these objects, we speak of an indirect assignment.
For the entries in the SPTH table, note that the application defines whether a file is accessed with or without the path. For example, the related transactions ST11 (error log files) and AL11 (SAP directories) behave differently. While ST11 opens almost all files without a path (they are in the DIR_HOME directory anyway), AL11 basically uses fully specified file names with a path. An entry in the SPTH table with PATH = / is therefore misleading. It specifies that the defined access restrictions apply to all files specified by path. However, this only applies to applications that access files using a specified path. However, applications that access files without a path are not restricted; Files in the DIR_HOME directory may be excluded.
Centrally review failed authorisation checks in transaction SU53
Initial passwords for standard users are extremely risky because they are published. Make sure that this vulnerability does not exist in your system landscape. An SAP system is always shipped with certain standard users or they are automatically set up for the transport management system, for example. These default users use initial passwords that are well known. Close this vulnerability by changing the passwords and protecting the default users from unauthorised use. In this tip we will show you how you can clarify the status of your standard users' passwords and give you recommendations on the settings of your profile parameters.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
At "www.sap-corner.de" you will also find a lot of useful information on the subject of SAP authorizations.
This can lead to undesirable behaviour, especially if the parameter for the validity of the initial password is set.