Evaluation of the authorization check SU53
Define a user group as mandatory field in the user root
Make your IMG projects more secure. We show you how to create customising permissions for individual projects or project views, thereby limiting access. With the SAP Implementation Guide (IMG), there is a tool that allows you to customise your SAP system to suit your business needs. You can manage access to projects in the IMG via customising permissions and thus limit the user circle. You grant the members of an SAP project team the permissions they need to support the project. Below we show you how to create customising permissions by mapping to the IMG projects.
If you want to set the table logger check for multiple tables, you should note that the principles for changing Dictionary objects apply, i.e. you will generate increased system loads in running systems. Therefore, you should make both the modification and the transport of the changes outside of business hours. The SAP system only provides customising tables for table logging by default; so you don't have to worry about performance. Tables that serve to customise typically contain relatively little data that is rarely changed. However, you should not turn on table logging for tables that are subject to mass changes, as there may be performance and disk space issues. This applies to tables with root or movement data. After all, if table logging is enabled, a log entry in the DBTABLOG table is generated for each change to the contents of a logged table.
Know why which user has which SAP authorization
If you have developed your own permission checks to use them in your own programmes or to make extensions to the SAPS standard, it is essential that you maintain the Z authorization objects as suggestion values for the respective applications. Thus, they do not have to be reworked manually in the respective roles. In addition, you have created a transparent way to document for which applications your customer's permissions are available. Last but not least, a well-managed suggestion value maintenance helps you with upgrade work on suggestion values and PFCG roles. This ensures that your changes and connections to the respective PFCG roles are retained and new permissions checks for the new release are added to the applications.
The assignment of the SAP_ALL profile is not required for the operation of an SAP system; therefore, a yellow icon will appear for the first check once a user has assigned the profile. For the other six checks on critical base permissions, the yellow icon will be displayed when a client is found on the system and at least one of the following two conditions applies: More than 75 users have the permission checked in this check. More than 10% of all users have the permission checked in this check, but at least 11 users.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
For this purpose, the so-called AUTHORITY-CHECK is used, which queries the required authorization object characteristics and thus only allows authorized users to execute the code.
If a transaction is removed from the role menu, the default permission is deleted when mixing.