Efficient SAP rollout through central, tool-supported management
System Settings
First and foremost, legal principles must be stated and specific reference must be made to authorizations that are critical to the law and that may not be assigned (or at most may be assigned to emergency users). An example is the authorization "Debugging with Replace", to which the object S_DEVELOP with the values ACTVT = 02 and OBJTYPE = DEBUG legitimizes and over which data can be manipulated by main memory change. However, this would violate § 239 of the German Commercial Code, the so-called "erasure prohibition".
After all authorizations are maintained, the role must be saved and generated and a user comparison must be performed. However, this should not be a topic here in the article. This can also be done with the transaction PFUD (see comments to the article "SAP BC: Empty user buffer" :-).
User administration (transaction SU01)
Your SAP system landscape keeps you safe and up-to-date by inserting different types of SAP hints and patches. For a first overview of the security information for SAP systems, see the SAP Service Marketplace at https://service.sap.com/securitynotes. For a complete list of all security advisories for all SAP solutions (SAP NetWeaver Application Server ABAP and Java, TREX, SAP HANA, Sybase, SAP GUI, etc.), see Security Notes Search on this page. The My Security Notes page allows you to find the SAP notes that are relevant for systems registered in SAP Service Marketplace. This does not take into account information already recorded.
However, the greatest advantage is the consistent use of reference users for performance. The use of reference users reduces the number of entries per user in the user buffer, i.e. in the USRBF2 table. This is because the entries in the user buffer only have to be stored once for the reference user and not more times for the inheriting users. This reduction in the table contents of the USRBF2 table will improve performance when performing eligibility tests.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
If a specific piece of information about an employee is required, it can be read out via a path.
To do this, you must first create meaningful subfolders in the customer's own structure.