Query Data from Active Directory
Make sense in maintaining proposal values
The basic idea of the approach described below is to evaluate the previous usage behaviour (reverse engineering) for the definition of the required permissions. In the first step, you configure the retention time of usage data, because each SAP system logs the calls to bootable applications. This way, not only the user, at what time, what transaction, but also the user, which function block was called. These data are then condensed into daily, weekly and monthly aggregates and stored for a specified period. This statistical usage data is originally intended for performance analysis; You can also use them to determine the permissions you need. We described the configuration of the retention time of the statistical usage data in Tip 26, "Use usage data for role definition". Please also refer to our explanations on the involvement of your organisation's co-determination body in the storage and use of the statistical usage data. In addition to the settings described in Tip 26, you should also adjust the retention time for the RFC Client Profile (WO), RFC Client Destination Profile (WP), RFC Server Profile (WQ), and RFC Server Destination Profile (WR) task types using the SWNCCOLLPARREO Care View.
The first step is to create an IMG project. You can create a new project or edit an existing project to create a customising role. To do this, call the SPRO_ADMI project management entry transaction. If a suitable project is not available, you can view the list of SAP customising activities. To do this, click the SAP Reference-IMG button or create a new project. To do this, select the Create Project button ( ) or the (F5) button. A new window will open, where you enter the project name. Note that you have a maximum of ten characters for the name. Once you have confirmed your input, a new screen will open. The General Data tab allows you to specify users, project managers, project times, and the language for the information texts.
Full verification of user group permissions when creating the user
Other dangers include admins simply copying user roles, not having control processes for permission assignments, or not following the processes over time. In this context, two things should be clarified: Which SAP user is allowed to access which data? How do the roles differ (especially if they are similar)?
The SAP standard allows you to evaluate the statistical usage data via a standard function block. The call is made through the transaction SE37. Select here the function block SWNC_GET_WORKLOAD_STATISTIC. The function block is used to write the usage statistics to a temporary table, from which you can extract the data for further use.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
Use the report CLEANUP_PASSWORD_HASH_VALUES.
This toggles the setting in the SCC4 transaction for changing and recording custom customising objects ("Client modifiability") for role maintenance.