Permissions with status
Which challenges cannot be solved with authorization tools alone?
Authorizations in a company are usually not assigned to individuals, but to roles. A role describes jobs or positions within the organization. One or more persons can hold a role and thus have the access authorizations assigned to the role. The authorization profile (the number of authorizations) of a role contains all authorization objects that are required to execute the transactions. By means of a profile generator (transaction PFCG) the creation of the authorization profile can be automated in SAP.
Note that the SAP_NEW_ individual profiles should be retained themselves, so that at any given time, traceability is ensured as to which release and which permission was added. For more information, see SAP Notes 20534, 28175, and 28186. SAP Note 1711620 provides the functionality of an SAP_NEW role that replaces the SAP_NEW profile. If you have added this note, the profile will no longer be used. Instead, you can generate your PFCG role SAP_NEW by using the REGENERATE_SAP_NEW report. When you call the report, in the source and target release selections, type in the appropriate fields, and the role is created for that release difference.
SIVIS as a Service
The four important concepts of SAP security first require a certain amount of effort. They not only have to be coordinated, formulated and made available, but also continuously updated and, above all, actively implemented. Nevertheless, the return on investment is high, because they prepare for all eventualities, provide audit security, and also offer a high level of protection for the SAP system and thus for the company itself.
The view of the executable transactions may differ from the transactions for which the user has permissions, because the RSUSR010 report displays only the transactions that are actually executable. Not only does the transaction need to be started by the S_TCODE authorization object, but the following conditions must also be met: For certain transactions, there are additional permission checks that are performed before the transaction starts. These eligibility objects are then additionally entered in the transaction SE93 (Table TSTCA). For example, queries against the P_TCODE, Q_TCODE, or S_TABU_DIS authorization objects. The transaction code must be valid (i.e. entered in the TSTC table) and must not be locked by the system administrator (in the SM01 transaction).
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
In addition, change the password, assign the user to the SUPER user group, and log it with the Security Audit Log.
What is the difference between transactions and how are they used correctly?