Know why which user has which SAP authorization
Analysis and reporting tool for SAP SuccessFactors ensures order and overview
Put the values of the permission trace into the role menu: The applications (transactions, web-dynpro applications, RFCBausteine or web services) are detected through their startup permissions checks (S_TCODE, S_START, S_RFC, S_SERVICE) and can be added to the role menu of your role. In your role, go to the Menu tab and import these applications by clicking Apply Menus and selecting Import from Trace. A new window will open. Here you can evaluate the trace and view all recognised applications in the right window. To do this, click the Evaluate Trace button and select System Trace (ST01) > Local. In a new System Trace window, you can specify the evaluation criteria for the trace, such as the user using the Trace field only for users or the time period over which to record. Then click Evaluate. Then, in the right part of the window, you will see all the applications logged. Select the applications you want to apply to the Roles menu and click Apply. You can now decide how the applications appear in the Role menu. The application can be added to the role either as a permission proposal or as a menu item through the Add drop-down box. They can be displayed as a list or as a panel menu (insert as list) or according to the SAP menu tree in which the application is stored in the SAP menu (insert as SAP menu).
Eligibility objects that were visible in the permission trace are quickly inserted in rolls. But are they really necessary? Are these possibly even critical permissions? A review of the Permissions Concept can reveal that critical permissions are in your end-user roles. We would like to give you some examples of critical permissions in this tip. It is helpful to know which authorization objects are covered by the critical permissions. They must also ask themselves whether the granting of these allowances entails risks.
What are the advantages of SAP authorizations?
Make sure that the client-independent tables for logging are always logged when the parameters are not set to OFF. In addition to the parameters listed here, the table itself must also have the table logging hook set; This is usually done with the help of the transaction SE13. The settings are made in development and then transported to the other systems. The SAP standard already provides some tables for logging; For an overview of these tables, see SAP Note 112388 (tables requiring logging). You can evaluate the logging settings of the tables using the RDDPRCHK report or the RDDPRCHK_AUDIT transaction in the SAP system. The selection is made in the start image of the report, e.g. via the table name or the selection of options for logging.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
If you want to know more about SAP authorizations, visit the website "www.sap-corner.de".
However, at the latest during the next review, targeted queries with data combinations - and thus several SUIM query sequences - must be delivered within a short time.