Authorization concept
Implementing CRM Role Concept for External Services
You can do without taking obsolete profile data into account by adding the correction from SAP Note 1819126 and then setting the REC_OBSOLETE_AUTHS customising switch to NO in the table PRGN_CUST. This correction is also important because it fixes runtime problems when releasing role transports, resulting from the correction in SAP Note 1614407. As a general rule, you should always run bulk transport sharing in the background.
SAP Note 1854561 provides a new possible value for the auth/authorisation_trace parameter: F (Trace enabled with filter). Allows you to limit the permission trace to values that can be set by the filter. The filters are defined in the STUSOBTRACE transaction (see SAP Note 1847663).
Security in development systems
Regardless of whether you select the degree of simplification COARS = 1 or 2, you should not enter * or SAPDBPNP (programme name of logical database PNP) in the REPID field. With these values, you allow access to the logical databases SAPDBPNP and SAPDBPAP and thus to all contained root data.
Access options and authorizations are defined and controlled in the SAP authorization concept. How secure business data is in SAP depends largely on the assignment of authorizations and access options for a company's users.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
In particular, if the Whitelists are not yet maintained, reporting volumes of up to 200 pages are not uncommon.
We'll show you how it's easier.