RSUSRAUTH
System trace function ST01
There may be other objects associated with the site that you can also assign a PFCG role to. As in our organisation chart, you can assign three different PFCG rolls to the user. You can assign the PFCG roles to either the organisational unit, the post or the post. In this hierarchy, you assign the user as the person of the post. The user is assigned to the person as an attribute and therefore not visible in the organisational model. An HR structure could be mapped via this hierarchy. Since the PFCG roles are not directly assigned to the user but to the objects in the Organisation Management and the user is assigned to the PFCG roles only because of his association with these objects, we speak of an indirect assignment.
To support the safe operation of SAP systems, SAP offers a whole portfolio of services. We present the security services offered by SAP Active Global Support (AGS). The security of an SAP system in operation depends on many factors. There are several security features in the SAP standard, such as user management, authentication and encryption capabilities, web service security features, and the various authorisation concepts. Vulnerabilities in the standard software are also regularly fixed in SAP notes and support packages. You are responsible for the safe operation of your SAP system landscapes; so you need to incorporate these features and fixes into your systems. The AGS Security Services support you by bundling the experiences of the AGS into consolidated best practices. We introduce these services and describe how they help you gain an overview of the security of your operational concept.
Define a user group as mandatory field in the user root
As a role developer, you can now select the specific application in the PFCG transaction from the list of web dynpro applications published by the software developers on the Menu tab and enter it in the Role menu. To generate the role profile, switch to the Permissions tab. There you can check the concrete value expressions of the S_START permission fields and, if necessary, the additional relevant authorization objects for this Web application and supplement them if necessary. Finally, you must generate the role profile as usual.
The security policy was introduced with the SAP NetWeaver 7.31 release; for their use you need at least this release. Security policies thus replace the definition of password rules, password changes, and login restrictions via profile parameters. The security policy is assigned to the user in transaction SU01 on the Logon Data tab. Profile parameter settings remain relevant for user master records that have not been assigned a security policy. Some of the profile parameters are also not included in the security policy and therefore still need to be set system-wide. Security policy always includes all security policy attributes and their suggestion values. Of course, you can always adjust the proposed values according to your requirements. You define security policy about the SECPOL transaction. Select the attributes for which you want to maintain your own values and enter the values accordingly. The Descendable Entries button displays the attributes that are not different from the global entries.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
Make sure that this data is only transmitted encrypted.
In the Manual Adjustment section of selected roles, you can create roles from manually created profiles, generate SAP_NEW (see Tip 64, "Use SAP_NEW correctly"), or generate SAP_APP as roles.