Maintain permission values using trace evaluations
The use of suggestion values not only brings advantages when creating or maintaining PFCG roles, but also when maintaining permissions as a rework of an upgrade. Furthermore, these values can be used as a basis for risk definitions. Before creating PFCG roles, it is useful to maintain the suggested values for the transactions used. However, you do not need to completely revise all of the suggested values that are delivered by SAP.
If you use the option described by us to reload the change documents into a shadow database, you should also run the report SUIM_CTRL_CHG_IDX after each reload operation, marking the field Indexes loaded change documents. In this case, all reverse-loaded change documents shall be taken into account. Before doing so, all index entries must be deleted; This can lead to a long run of the report.
Deletion of change documents
Are you already using BAPIs in user care? For example, you can use them to set up a password reset self service. We show you how to do this and what you need to pay attention to. Especially with large system landscapes and systems that are only sporadically used, users often forget their password. Strengthened password rules (e.g. to change a password regularly or to require certain character types to be used), which are supposed to serve security, do their part. Forgotten passwords and the frequently resulting user locks are unfortunately often lost to the user when access to a system is most needed. Unlocking a user and assigning a new password is rarely done in real time, even with large 24-hour support service departments. This problem, which I am sure you are familiar with, does not exactly promote employee satisfaction and productivity. A self-service that uses the Business Application Programming Interfaces (BAPIs) can counteract this.
You can use the function block level permission check by setting the FUNC value in the RFC_TYPE field in the S_RFC authorization object. If you still want to allow function groups, specify the value FUGR here. Depending on the RFC_TYPE field, type the name of the function block or group in the RFC_NAME field (name of the RFC object to be protected). This extension of the test is provided by the correction in SAP Note 931251.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
Many companies are currently converting their current SAP systems from an ERP state to an SAP S/4HANA system.
In this blog post, we would like to summarize the context for practical use.