Detect critical base permissions that should not be in application roles
Add external services from SAP CRM to the proposal values
The permission checks are logged as part of the system trace in transaction ST01. It records all permission checks and validated permission values for a specific application server, and specifies, depending on the client, whether the permission checks were successful or not. The Trace display has now been improved (see also SAP Note 1373111).
To make the most of the time stamping process, you should fill the time stamp tables in the legacy system before upgrading. Implement SAP Note 1599128. With this correction, the report SU25_INITIALIZE_TSTMP is delivered, which allows to write the current timestamps of your data from the transaction SU22 into the respective timestamp tables USOBT_TSTMP and USOBX_TSTMP. After the upgrade, you will have a reference date for your SU22 data, which you can use to compare with the SAP proposal data shipped for the new release. Setting the timestamps in the legacy release reduces the effort required to complete step 2a, because only those applications whose SU22 data has been modified are matched. If you have not filled the timestamp tables in the old release, the tables in your new release will be empty. In this case, in step 2a, the content of the SAP proposal values will be compared to the customer proposal values, regardless of a timestamp.
Context-dependent authorizations
Because certain types of permissions, such as analysis permissions, for SAP BW, or structural permissions in SAP ERP HCM are not based on SAP permission profiles, these permissions are not displayed or refreshed in the permission buffer. To analyse such eligibility issues, you must therefore use the appropriate tools, such as the HRAUTH transaction for SAP ERP HCM or the RSECADMIN transaction for SAP BW. The same applies to the Organisation Management buffer if you use indirect role mapping. Run the RHWFINDEXRESET report to reset the Organisation Management buffer. A prerequisite for the user buffer to be up-to-date is the correct user matching (green instead of yellow statusabilds on the Users tab).
Do this once in your system. For example, you can jump from the MM50 transaction to the MM01 transaction without explicitly assigning transaction startup permission to the MM01 transaction through the S_TCODE authorization object. You can see this call in your System Trace for Permissions in the Additional Information column for testing. There you can see that the CALL TRANSACTION call has disabled the permission check. The user is allowed to jump into the transaction MM01, although in the role assigned to him Z_MATERIALSTAMMDATEN only permissions for the transactions MM03 and MM50 are recorded.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
This is a trace that collects authorization data over a longer period of time in several clients and user-independently and stores it in a database (table USOB_AUTHVALTRC).
If some relevant fields of the complete document are hidden, i.e. not available, please refer to the instructions in the SAPHinweis 413956.