Dialogue user
Basics SAP Authorizations including Fiori - Online Training
All external services for cross-navigation are stored in the role menu in the GENERIC_OP_LINKS folder. In addition to this information, this folder also contains external services that represent the already mentioned area start pages and logical links. You can delete the latter, as these are duplicates from the other folders or non-relevant external services. Now, to set up correct permissions for the non-manageable external services in the GENERIC_OP_LINKS folder, you can identify the external services you need for your CRM business role and delete all other external services. However, as I said, there is a risk that too many external services will be deleted and cross-navigation or calling the saved searches will no longer work. It is better to move the GENERIC_OP_LINKS folder to a separate role.
Please note that depending on the results of the RSUSR003 report, a system log message of type E03 is generated. If a critical feature (stored in red) is detected, the message text"Programme RSUSR003 reports ›Security violations‹"is written into the system log. If no critical feature has been detected, the message"Programme RSUSR003 reports ›Security check passed‹"will be displayed instead. This message is sent because the password status information of the default users is highly security relevant and you should be able to track the accesses. You can grant the User and System Administration change permissions for the RSUSR003 report, or you can grant only one execution permission with the S_USER_ADM authorization object and the value CHKSTDPWD in the S_ADM_AREA field. This permission does not include user management change permissions and can therefore also be assigned to auditors.
Using eCATT to maintain roles
For the entries in the SPTH table, note that the application defines whether a file is accessed with or without the path. For example, the related transactions ST11 (error log files) and AL11 (SAP directories) behave differently. While ST11 opens almost all files without a path (they are in the DIR_HOME directory anyway), AL11 basically uses fully specified file names with a path. An entry in the SPTH table with PATH = / is therefore misleading. It specifies that the defined access restrictions apply to all files specified by path. However, this only applies to applications that access files using a specified path. However, applications that access files without a path are not restricted; Files in the DIR_HOME directory may be excluded.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
At "www.sap-corner.de" you will also find a lot of useful information on the subject of SAP authorizations.
If you want to copy clients, you have to set this parameter to 0 again before you do so, because the user SAP* is required for this.