Use Custom Permissions
SAP license optimization
With the SAP NetWeaver 7.03 and 7.30 releases, Web Dynpro ABAP applications (as well as other Web Dynpro ABAP functions, see SAP Note 1413011) have been tested for permission to launch such applications. The authorization object that controls this startup permission is S_START. This authorization object is used in the same way as the S_TCODE authorization object.
Typically, this includes permissions that can be used to delete change records in the system or electronically erase them. The traceability of changes is also important in the development system, which is why the authorizations listed below should only be assigned very restrictively or only to emergency users.
SAP authorizations: Recommendations for setting up, monitoring and controlling
Thus, after evaluation, you can select all SAP hints with the status to implement and load directly into the Note Assistant (transaction SNOTE) of the connected system. This is only possible for a development system and if the SAP Solution Manager can use an appropriate RFC connection to the connected system. You should also consider the security advisories that apply to applications that are installed on your system but that you do not use productively. These vulnerabilities can also be used for an attack.
A careless handling of the permissions with sensitive employee data can go quite nicely in the pants. Prevent uncontrolled and extensive reporting access to your HCM data by properly using the P_ABAP authorization object. In many companies, the correct use of P_ABAP is not known. As a result, there are often false expressions that, in the worst case, allow uncontrolled reporting access to all data in the logical database PNPCE (or PNP). This way, you can again erase your access restrictions, which were previously painstakingly defined in a permission concept. Therefore, it is necessary to test the use of P_ABAP in individual cases and to use the existing limitations. In the following we describe the logic behind this authorization object and what it is important to avoid.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
By contrast, you will find the relevant user administration change documents in the production systems; Therefore, you should note that when importing roles and profiles in the production systems, no change documents are written.
The SAP Code Vulnerability Analyser is integrated into the ABAP Test Cockpit (ATC) and thus available in all ABAP editors such as SE80, SE38, SE24, etc.