Authorization Analysis
Statistical data of other users
Since SAP NetWeaver 7.02, such a feature is available, which means that you can access the data from the system trace to maintain PFCG roles. In the following we show you how you can apply the permission values from the permission trace to your role. To do this, you must first record applications against their permission checks and then add them to your role menu.
The view of the executable transactions may differ from the transactions for which the user has permissions, because the RSUSR010 report displays only the transactions that are actually executable. Not only does the transaction need to be started by the S_TCODE authorization object, but the following conditions must also be met: For certain transactions, there are additional permission checks that are performed before the transaction starts. These eligibility objects are then additionally entered in the transaction SE93 (Table TSTCA). For example, queries against the P_TCODE, Q_TCODE, or S_TABU_DIS authorization objects. The transaction code must be valid (i.e. entered in the TSTC table) and must not be locked by the system administrator (in the SM01 transaction).
Note the maintenance status of permissions in roles and their impact
The authorisation concept in SAP ERP does not normally allow to limit permissions to individual financial years. However, this is particularly relevant for tax audits. As of 1 January 2002, the electronic tax audit was enshrined in law in § 147 (6) of the German Tax Code. The opinion of the Finance Administration is in the BMF letter of 16.07.2001 (BStBl. 2001 I)"Principles on data access and the verifiability of digital documents"(GDPdU). The electronic control check can be performed in Germany on three types of access: Immediate access: The tax authority shall have the right to inspect the stored data (read-only access) and to use the taxpayer's hardware and software to verify the data, including the master data and links. Mean Access: The tax authority may require the taxable person to perform the read-only processing of the data in accordance with its specifications. Volume Release: Alternatively, the tax administration may require the taxable person to have the stored documents available to it for evaluation on a machine-usable medium.
Roles are assigned according to the function of employees in the company and their validity is limited depending on the task. Removing role assignments manually in user master kits is very tedious. We'll show you how it's easier. Over time, users of your SAP system have accumulated many roles in the user master set. These roles have different validity periods. Some roles have already expired, and other roles may be assigned multiple times, because a user might perform multiple roles in the organisation, some of which have the same roles. Now you are looking for an easy way to delete role assignments that have expired or to remove multiple role assignments.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
If a valid user group has not been entered in the customising switch, the user group is nevertheless a mandatory field.
A whitelist allows you to specify which users (such as emergency users) you want to exclude from the evaluation.