Use usage data for role definition
Copy the user from the Clipboard to the Transaction SU10 selection
You can translate text blocks in permission roles individually using the SE63 transaction. If you need to translate many roles, there are also automation options that we present here. There are several scenarios in which it becomes interesting to translate the texts of permission roles, for example, if your company is acting internationally. Also, you may have taken over a third party company and the SAP systems used there, or you may want to simplify the SAP system landscape by combining different divisions in one system. In all of these cases, you must standardise or translate the texts of the authorisation roles. For pure translation, you can use the transaction SE63, which we explain in the first section of this tip. In general, however, you will need to translate a large number of role texts in these scenarios; Therefore, in the second section we will explain how you can automate the translation using the LSMW (Legacy System Migration Workbench) transaction and will discuss how to set up a custom ABAP programme.
SAP Note 1707841 ships an extension to the system trace in the STAUTHTRACE transaction, which enables the permission trace to be used on all or on specific application servers. To select the application servers on which to start the trace, click the System Trace button. Now select the application servers in the list on which you want to run the system trace and start the trace with a click on Trace. In the evaluation of the Permission trace, an additional column named Server Name appears, showing you the name of the application server on which the respective permission checks were logged.
Detect critical base permissions that should not be in application roles
The customising parameters in the table PRGN_CUST control the password generator in the transactions SU01 and SU10. The values of the profile parameters override the customising parameter entries to prevent invalid passwords from being generated. If the value of a customising parameter is less than the value of the corresponding profile parameter, the default value of the customising parameter is drawn instead. The same is true if no value is maintained. You can exclude certain words or special characters as passwords by entering them in the USR40 table. In this table you can enter both specific passwords (e.g. your company's name) and patterns for passwords (e.g. 1234*). '*' stands for any number of additional characters (wild card) and '?' for any character. However, when maintaining the USR40 table, note that the number and type of entries affect performance.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
At "www.sap-corner.de" you will also find a lot of useful information on the subject of SAP authorizations.
Now check all permissions in all remaining profiles within the SAP_NEW summary profile that have a higher release level than the SAP_BASIS upgrade start release.