Consolidate user-level role mapping
The Anatomy of SAP Authorization or Documentation on SAP Authorization Objects and Authorization Field Values
In many SAP environments, there are historically grown authorization structures that cause unnecessary security gaps. These should be examined closely.
If you manage your SAP system landscape via the Central User Administration (ZBV), you must insert SAP Note 1663177 into both the ZBV system and all attached subsidiary systems. In this case, also note that the default user group will be assigned in the daughter systems if no user group has been distributed during the user's installation from the ZBV. In addition, you will receive an error message in the SCUL transaction stating that a user group must be assigned to the user (via the ZBV headquarters). This behaviour is independent of the settings of the distribution parameters for the user group in the SCUM transaction. If you have set the distribution parameters for the user group to Global or Redistribution, the appropriate subsidiary system will reject the changes made to users that do not have a user group in the Central System, and you will receive an error message in the SCUL transaction.
Evaluate Permission Traces across Application Servers
User trace - Transaction: STUSERTRACE - With the transaction STUSERTRACE you call the user trace. Basically, this is the authorization trace (transaction STUSOBTRACE), which filters for individual users. So you can call exactly the authorization trace and set the filter on a user. As with the authorization trace, the profile parameter "auth/authorization_trace" must be set accordingly in the parameter administration (transaction RZ10).
You would like to revise your authorisation concept and tailor SAP roles only to the productive processes. We show you how to use the statistical usage data from the Workload Monitor for the SAP role definition. One of the biggest effort drivers in redesigning SAP role concepts is the definition of transactional expression of SAP roles. By using the statistical usage data from the workload monitor, you can avoid costly coordination with process managers in the sense of a Green Field Approach. In this way, you can tailor your SAP role concepts to the content of the usage behaviour. The only requirement is that the data be available for a representative period. This is two months in the SAP standard; You can also extend this time period. Below we describe how you can use the statistical usage data from the Workload Monitor for the SAP role definition.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
To create a authorization object, you must first select the result area and the form of the result invoice, whether calculating or accounting, for which you want to validate the authorization object.
The focus should be on saving the current authorization concept, since rebuilding it takes more time than cleaning it up.