Preventing sprawl with the workload monitor
A concept for SAP authorizations prevents system errors and DSGVO violations
When using encryption mechanisms, be sure to prevent access to the personal security environment (PSE) files in the server's file system and database. To do this, create your own table permission group for the SSF_PSE_D table and restrict programmes from accessing the /sec directory in the file system. For details on securing key tables, see SAP Note 1485029.
In practice, the main problem is the definition of content: The BMF letter remains very vague here with the wording "tax relevant data". In addition, there is the challenge of limiting access to the audited financial years.
Using eCATT to maintain roles
Every large company has to face and implement the growing legal requirements. If the use of an authorization concept is to be fully successful on this scale, the use of an authorization tool is unavoidable. For medium-sized companies, the use of an authorization tool is usually also worthwhile. However, decisions should be made on a case-by-case basis.
If there are no buttons for copying and pasting in the PFCG transaction, you can simply insert them. Only seven lines are displayed in the dialogue box to maintain field values to properties in transaction PFCG. Up to now it was not possible to insert more than these seven lines at once from the clipboard. However, this may often be necessary in the context of the maintenance of permissions, for example if you want to use entries from other roles. Read how to copy and paste the buttons in the dialogue box to maintain field values to the authorization objects.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
In the selection screen of the report that appears, you can select the multiple selection to the User field by clicking the arrow button and insert the users from your selection by pressing the button (upload from clipboard).
This is a short-term trace that can only be used as a permission trace on the current application server and clients.