Permission implementation
Maintain permission values using trace evaluations
Note that the SAP_NEW_ individual profiles should be retained themselves, so that at any given time, traceability is ensured as to which release and which permission was added. For more information, see SAP Notes 20534, 28175, and 28186. SAP Note 1711620 provides the functionality of an SAP_NEW role that replaces the SAP_NEW profile. If you have added this note, the profile will no longer be used. Instead, you can generate your PFCG role SAP_NEW by using the REGENERATE_SAP_NEW report. When you call the report, in the source and target release selections, type in the appropriate fields, and the role is created for that release difference.
Because certain types of permissions, such as analysis permissions, for SAP BW, or structural permissions in SAP ERP HCM are not based on SAP permission profiles, these permissions are not displayed or refreshed in the permission buffer. To analyse such eligibility issues, you must therefore use the appropriate tools, such as the HRAUTH transaction for SAP ERP HCM or the RSECADMIN transaction for SAP BW. The same applies to the Organisation Management buffer if you use indirect role mapping. Run the RHWFINDEXRESET report to reset the Organisation Management buffer. A prerequisite for the user buffer to be up-to-date is the correct user matching (green instead of yellow statusabilds on the Users tab).
SAP Security Concepts
For the scenario of sending initials passwords, signing emails is not so relevant. Although it is possible to send an encrypted e-mail with a fake sender address, in this case the initial passwords in the system would not work. It looks different when you send business data; In such cases, verification of the sender via a digital signature is recommended. If you want to send e-mails digitally signed, we advise you to send them at the system's e-mail address. To do this, use the SEND_EMAIL_FOR_USER method described and place the sender's tag on the system. In this case, you need a public key pair for your ABAP system, which is stored as a Personal System Security Environment (PSE). For a detailed description of the configuration, including for verification and decryption of received emails, see the SAP Online Help at http://help.sap.com/saphelp_nw73ehp1/helpdata/en/d2/7c5672be474525b7aed5559524a282/frameset.htm and SAP Note 1637415.
Careful maintenance of suggestion values in the relevant authorization objects results in recurring benefits in creating and revising roles for Web applications. In addition, the SU25 transaction supports role post-processing in the context of SAPUpgrades.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
In order to sustainably guarantee the security of the SAP system internally and externally, regular auditing is indispensable.
Each pass of the profile generator collects all the permission suggestions from the SU24 transaction to a transaction added through the role menu of the single role and checks the permissions to be added to the permission list.