Additional permission check on the S_RZL_ADM authorization object: For security reasons, an additional permission check is performed on the S_RZL_ADM authorization object for special PSE (Personal Security Environment) files with access type 01 (Create). These files are called *.pse and cred_v2. These files are required for single sign-on, encryption and digital signatures. They are maintained using the transaction STRUST and the transaction STRUSTSSO2, which require the same permission (see SAP Note 1497104 for details).
In this case, please note that you may need to replace the SS table permission group with other table permission groups. This is required if you have entered a different table permission group when maintaining the table permission groups, for example, for the T000 table.
Check current situation
Service users are used for multi-person anonymous access, such as Web services. This type of user is also dialogical, i.e. it can log on to the SAP system via SAP GUI. With a service user, multiple logins are always possible, and password modification rules do not work. This behaviour has changed with the introduction of security policy. Because previously all password rules for the service user were invalid, and now the rules for the contents of the passwords also apply to the service user (see Tip 5, "Defining User Security Policy" for details on security policy). The password of a service user always has the status Productive and can only be changed by the user administrator.
Configuration validation is a tool that allows systems to be tested against corporate or organisational requirements and regulations. You can find this tool in the Change Management section of the SAP Solution Manager. This allows you to evaluate security-relevant configurations and critical permissions. This is based on the SAP Solution Manager's Configuration and Change Database (CCDB), which stores all details about the configuration of the connected systems. The configuration data is stored in different configuration stores, depending on the type of configuration. You can evaluate the configuration of the operating system, the database, and profile parameters in the ABAP and Java systems. You will also get an overview of the status of transport orders and support packages. You can also track changes to the configurations of the attached systems in the CCDB. You can also graphically evaluate these changes via an end-to-end analysis in SAP BW; contains information on the number of changes per system, the type of changes and the modification date.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
In the USR_CUST table, set CHECK_MOVE_4_CNG_GRP to YES.
In SAP systems, the authorization concept is the key element used to secure access to company data and manipulation of the system.