Grant permission for external services from SAP CRM
Detect critical base permissions that should not be in application roles
Roles are assigned according to the function of employees in the company and their validity is limited depending on the task. Removing role assignments manually in user master kits is very tedious. We'll show you how it's easier. Over time, users of your SAP system have accumulated many roles in the user master set. These roles have different validity periods. Some roles have already expired, and other roles may be assigned multiple times, because a user might perform multiple roles in the organisation, some of which have the same roles. Now you are looking for an easy way to delete role assignments that have expired or to remove multiple role assignments.
Your SAP system landscape keeps you safe and up-to-date by inserting different types of SAP hints and patches. For a first overview of the security information for SAP systems, see the SAP Service Marketplace at https://service.sap.com/securitynotes. For a complete list of all security advisories for all SAP solutions (SAP NetWeaver Application Server ABAP and Java, TREX, SAP HANA, Sybase, SAP GUI, etc.), see Security Notes Search on this page. The My Security Notes page allows you to find the SAP notes that are relevant for systems registered in SAP Service Marketplace. This does not take into account information already recorded.
Restrict Application Server Login
Insert SAP Note 1171185 into your ZBV system. With this notice, the report RSUSR_SYSINFO_LICENSE is delivered, which retrieves and displays the user types from the systems connected to the ZBV. In addition, however, SAP Note 1307693, which contains new functionalities of licence measurement, must be installed on the subsidiary systems connected to the ZBV. In addition, you may need to extend the permissions of the users in the RFC connections to the ZBV's subsidiary systems by the permissions to the S_RFC object with the SUNI and SLIM_REMOTE_USERTYPES function groups. If the SAPHinkling 1307693 is not installed on a subsidiary system, or the RFC user's permissions have not been adjusted accordingly, the RSUSR_SYSINFO_LICENSE report in the application log (transaction SLG1) will issue a warning.
Once a permission concept has been created, the implementation in the system begins. On the market, there are solutions that create PFCG rolls based on Microsoft Excel in the blink of an eye. You should, however, take a few things into account. Have you defined your roles in the form of role matrices and your organisational levels (orgés) in the form of organisational sets (orgsets)? All of this is stored in Excel documents and now you want a way to simply pour this information into PFCG rolls at the push of a button, without having to create lengthy role menus or then derive large amounts of roles, depending on how many organisational sets you have defined?
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
For sure: If a consulting company does not implement a process first and the "framework" is missing as a result, the existing SAP authorizations must be analyzed retrospectively and the underlying concept must be understood.
First, the Web application developers must implement appropriate permission checks and make PFCG available for use in role maintenance in the transaction.