Landscapes
SAP Basis - the secure foundation of the SAP system
To add additional permissions for defined groups in the launchpad to PFCG roles, follow the steps described above. This time, you only select a "SAP Fiori tile group" instead of a "SAP Fiori tile catalogue". There are very few differences between permissions. Fiori Eligibility for OData Services The launch authorisation for the OData service stored in the backend from a Fiori app is queried on both the front-end and back-end servers when the application is launched. Therefore, this permission must be added to the appropriate role on both servers. The typical sequence of clicking on a Fiori app in the launchpad triggers the following steps: 1) When selecting the tile, the app Fiori implementation is called 2) The app retrieves dynamic data from the HTTP endpoint of the OData service on the frontend server from 3) An RFC call to the gateway activation of the backend system is followed, retrieving the relevant business logic 4) Now the Fiori permission for the corresponding OData service is queried on the backend 5) If this was successful the appropriate business logic permissions are queried in the OData service. To add the Fiori permission to run a OData service for an app to a role, please perform the following steps: In the PFCG, open the appropriate role in Change mode, perform steps on the following screenshot: 1) Select Menu tab 2) Arrow next to the "Transaction" button click 3) Select Permissions proposal.
Every SAP Basis system must be controlled and managed by an administrator. The person responsible ensures smooth operation of the system. This can be an internal administrator, or can be handed over to external service providers.
SAP Security Audit & Monitoring
You would like to know more about what is happening on your SAP systems - then I recommend that you take a closer look at the Solution Manager Usage Procedure Logging (UPL) functionality. What code is often executed? Which database tables are accessed regularly? What unused developments exist? - The UPL provides answers to these questions. You can implement the functionality into your existing SAP landscape without additional licence costs and with moderate effort. What information does the UPL provide? Usage Procedure Logging is used to log and record user behaviour data roughly comparable to the ST03N workload statistics. UPL is able to record the call and execution of the following ABAP objects: Reports Functional Blocks Classes Methods Subroutines SQL Calls In addition, UPL is able to detect dynamic programme calls and generate transparency about the modifications used. All usage data is recorded in detail and automated and, if desired, made available centrally in the SAP Solution Manager. Benefits 1) Hardly measurable Performance Impact 2) Central collection of data of all systems in the SAP Solution Manager's BW 3) No complex setup 4) Once activated, the collector and extractor jobs run regularly and without further manual activities Possible usage scenario If you have Solution Manager 7.2 in use, you can use UPL within the framework of "Custom Code Lifecycle Management" (in German: management of customer developments). After one activation of the BW content and some standard jobs, you select one or more systems for which you want to activate UPL. If you already have the SP05 installed, there is a separate "Guided Procedure" for configuring the UPL in SOLMAN_SETUP.
Furthermore, the DISPLAY system variable must be set in order to start the TREX admin tool. Details and a guide to installing the tool can be found here: instguides → SAP NetWeaver → Released 04 → Installation → Cross-NW → Installation Guide Search and Classification TREX.
For administrators, a useful product - "Shortcut for SAP Systems" - is available in the SAP basis area.
Flags & Criticality The tool offers in its options the possibility to set flags for critical roles and highlight them in particular.
The new roles also provide increased visibility and participation in company decisions.