Development
The Anatomy of SAP Authorization or Documentation on SAP Authorization Objects and Authorization Field Values
When creating the PFCG individual roles in the respective SAP system, you should create the menu structure so that they can be combined with other individual roles in a single role. Once you have created the individual roles with the correct role menu, you can assign them to a collection role. Add the Role Menu to the Collect Roll using the Read Menu button. The menu can now be finally sorted. If changes to the roll menu are necessary, however, you must first make them in the individual rolls and then remix them in the roll roll (using the Mix button, see figure next page above). Transactions from other SAP systems such as SAP CRM, SAP SCM etc. can also be integrated into the NWBC. To do this, you first create the PFCG role for the relevant transactions in the target system. From the individual roles you can create collection roles with a defined menu structure.
The SAP Code Vulnerability Analyser can be used to scan both custom on-premise and on-demand applications programmed in ABAP. The SAP Code Vulnerability Analyser is included with SAP NetWeaver AS ABAP 7.02; an installation is not necessary. For details on the relevant support packages, please refer to SAP Notes 1921820 and 1841643. You do not need additional servers or additional administration. You can activate the SAP Code Vulnerability Analyser with the RSLIN_SEC_LICENSE_SETUP report, but you have to pay additional royalties for it.
Encrypt e-mails
After the functional specification has been removed, the implementation can begin: To do this, first create your custom authorization object and implement the permission check provided. The next step is to maintain the SU24 transaction proposal values for the respective customer transaction. To do this, call your custom-created transaction and assign the necessary authorization objects either manually by using the Object button, or use the Permissions or System Trace to assign the permissions (see Tip 40, "Using the Permissions Trace to Determine Custom Permissions Proposal Values"). You must leave the authorization objects used in the customer's own coding. For each authorization object, you can maintain field values that appear as suggestion values in the respective roles. Now all the roles concerned must be adapted. If the mixing mode for the transaction PFCG is set to On (see tip 38, "Use transactions SU22 and SU24 correctly"), all PFCG roles assigned to the transaction in the role menu will be recognised and can be remixed via the transaction SUPC. If the customer's transaction is not yet in the PFCG rolls, it will be added here and the respective PFCG role will be remixed.
The object S_PROGRAM checks since SAP Release 2.x for the field TRDIR-SECU i.e. the authorization group of the program. As of Release 7.40, you can optionally switch on a check for the object S_PROGNAM. For more information, see note 2272827 for further instructions. The check on S_PROGNAM MUST first be activated in the customer system. Note, however, that they CORRECTLY authorize S_PROGNAM before doing so, otherwise NOBODY except emergency users will be able to start any report or report transaction after the SACF scenario is activated.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
As described in Tip 22, "Application Solutions for User Management in SAP HANA", there are different application scenarios where the permission assignment on the HANA database is required.
Correction is used to change the mixing mode for PFCG: On/Off/Roles.