Maintain transaction start permissions on call CALL TRANSACTION
Correct settings of the essential parameters
It's never too late to rethink your authorization concept. Start by defining the objective of each role and take advantage of the reporting offered in SAP SuccessFactors.
This report checks the customising of the CRM business role for which the PFCG role is to be created, and writes all area start pages and logical links to a text file in the form of external services. This text file is stored locally in the SAP folder under c:/User//SAP. On the Menu tab of the PFCG role, you can upload this text file from File by selecting Menu > Import.
Centrally review failed authorisation checks in transaction SU53
The first line defines that access to all files is forbidden unless other settings have been made for them in the other lines. The asterisk (*) is in the first place here and in this case for all files and paths. If the asterisk is in a different position, it is interpreted as part of the file name, which is not allowed in Microsoft Windows, for example. In our example table, setting the switches FS_NOREAD = X and FS_NOWRITE = X for all paths prohibits reading and writing. This makes the table a white list. This is preferable to a black list for security reasons. SPTH, on the other hand, becomes a Black List if you remove the first line with PATH = * in our example or if you do not set any of the switches FS_NOREAD, FS_NOWRITE or FS_BRGRU. The second line with PATH = /tmp allows read and write access for all files starting with /tmp, similar to a permission value /tmp*, as an exception to the access ban defined in the first line for all files and paths. This setting is not limited to subdirectories, but includes, for example, all files whose name starts with /tmp-xy. The third line with PATH = /tmp/myfiles defines a permission group with FS_BRGRU = FILE, triggering the subsequent permission check on the S_PATH object. The SAVEFLAG = X switch defines that these files will be included in a backup procedure; however, this is not relevant for the permission award.
The concept for in-house developments is obligatory for every company that writes its own software. It specifies requirements, for example, for the structure, naming and documentation of program components, and in particular for dealing with safety-critical aspects. The wording should not be too general, but should explicitly address the special features of programming in SAP.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
Users' favourite lists provide valuable information about the transactions they use.
This applies to all reports that access the logical database PNPCE (or PNP).