Permissions with Maintenance Status Used
General considerations
Before using the system recommendations, we recommend that you implement the corrections in SAP Notes 1554475 and 1577059. It is also necessary that the systems to be managed are connected to the SAP Solution Manager and that in the transaction SMSY were assigned to a productive system and an SAP solution. Then, in the System Recommendations settings, schedule a background job that collects the relevant information about the attached systems. Relevant information is your release and support package stand, as well as SAP notes and their versions. An OSS connection from the SAP Solution Manager, which you have to set up beforehand, will then perform a calculation in the SAP Global Support Backbone, which will determine the necessary information, i.e., that the SAP Solution Manager itself hardly generates any load from the calculation. To automatically check the security level of your systems, you should also schedule this calculation as a background job.
In particular, you can derive valuable information about customer transactions, since experience has shown that not all transactions are used. In this context, it is important to mention that you should only use the usage data logged and extracted from the SAP system for the optimisation of SAP role concepts. This information may only be used with the involvement of a co-determination body of your organisation, since this information can of course also be derived from individual users for performance control purposes. However, experience has shown that the use of these data with an early involvement of the institutions of codetermination and the definition of earmarks is uncritical.
Communication User
With the transaction SUIM you can search under roles, roles with different search criteria. The variant "Roles by complex selection criteria" covers all possible selection criteria. However, you can also search only for a specific selection criterion (e.g. only for transactions, only for authorization objects...).
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
You can also find some useful tips from practice on the subject of SAP authorizations on the page "www.sap-corner.de".
The hash algorithms previously used in SAP systems are no longer considered safe; They can be cracked in a short time using simple technical means.