Use automatic synchronisation in central user management
Object S_BTCH_ADM (batch administration authorization)
Customising roles are temporary because of their project nature. Therefore, when assigning users, maintain the end date. You cannot also map transactions manually if you created a role directly from a project or project view. Conversely, you cannot use an existing transaction role in the menu as a customising role. The transactions associated with a customising role are not displayed in the Session Manager or the SAP Easy Access menu, but can only be viewed through the view in the customising.
In order to use the statistical usage data, you must first extend the default SAP value of the retention time to a reasonable period of time. For a representative period, a minimum of 14 months and a maximum of 24 months shall be sufficient. This includes day-to-day business, monthly financial statements, underyear activities such as inventory and annual financial statements. Now call the transaction ST03N and navigate to: Collector & Perf. Database > Performance Database > Workload Collector Database > Reorganisation > Control Panel.
Add External Services from SAP CRM to the User Menu
Careful preparation is a prerequisite for a successful authorisation check. A functional specification must be created for all customer-specific functionalities. This forces us to think about what the actual requirements of the application are and then describe the possible implementation. In doing so, security-related aspects, such as eligibility testing and allocation, must be taken into account. Define what you can do with this programme and also what you cannot do explicitly! In the case of a permission check, not only the activity to be performed, such as reading, changing, creating, etc. , can be checked. You can also restrict access to records by using specific criteria, such as field content or organisational separators.
In principle, the SAP_NEW permission should not be granted in the production system. The Profiles tab displays the generated profiles in the user master record that are associated with a specific user. Here you can also assign manually created permission profiles from the transaction SU02 - even without direct role mapping. In principle, the recommendation is to use the profile generator (transaction PFCG) to generate authorisation profiles automatically. Special caution is taken when you enter generated permission profiles directly on the Profiles tab, as these assignments will be deleted by matching user assignments with the transaction PFUD if no entry is on the Roles tab for the assignment. You have probably assigned SAP_ALL and SAP_NEW to users for whom there should be no restrictions in the SAP system. But what are these two profiles different from each other and why are they necessary?
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
Permissions are often not restricted because there is often no information about how the object should be shaped.
As part of identifying authorization problems, it should be documented what the risks are if the current situation is maintained.