Maintain permission values using trace evaluations
Debug ABAP programs with Replace
If the programme determines that both of the criteria set out in the previous bullet points are met, the criterion of equality shall apply. This means that the proposed values of the permission that is already in place and to be added will come from the same transaction. Thus, the programme does not add a new default permission to the permission tree.
Additional checks should be performed on document transactions in specific processes. This may be necessary, for example, when booking via interfaces in customer-owned processes, if the booking is to be possible only under certain conditions or on certain accounts.
Object S_BTCH_NAM and S_BTCH_NA1 (use of foreign users in Steps)
It is very important that critical authorizations are generally subject to a monitoring process in order to be able to ensure that they are assigned in a productive system in a very restricted manner or not at all. Law-critical authorizations in particular, such as deleting all change documents, debugging ABAP programs with Replace, and deleting version histories, must never be assigned in a production system, as these authorizations can be used to violate the erasure ban, among other things. It must therefore be ensured that these authorizations have not been assigned to any user, not even to SAP® base administrators.
Finally, you can extend your implementation of the BAdIs BADI_IDENTITY_SU01_CREATE and pre-enter additional fields of the transaction SU01. To do this, complete the appropriate SET_* methods of the IF_IDENTITY interface. For example, it is possible to assign parameters that should be maintained for all users, assign a company, or assign an SNC name.
Authorizations can also be assigned via "Shortcut for SAP systems".
Here we present different scenarios for the process of resetting passwords.
Access to system tables should therefore be restricted to basic administration if possible.