Integrate S_TABU_NAM into a Permission Concept
Use AGS Security Services
Typically, this includes permissions that can be used to delete change records in the system or electronically erase them. The traceability of changes is also important in the development system, which is why the authorizations listed below should only be assigned very restrictively or only to emergency users.
Now maintain the permissions and organisation levels. If possible, use organisational level values in the note, which you can find well in other numbers later on, i.e. about 9999 or 1234. After generating and saving the role, you will be returned to eCATT. There you will be asked if you want to accept the data and confirm with Yes. You have now successfully recorded the blueprint. Now the slightly trickier part follows: The identification of the values to be changed at mass execution. In the editor of your test configuration, the record you created is located at the bottom of the text box. We can now execute the test script en masse with any input. We need a test configuration for this. In the example Z_ROLLOUT_STAMMDATEN, enter a corresponding name and click the Create Object button. On the Attribute tab, specify a general description and component. On the Configuration tab, select the test script you created earlier in the corresponding field. Then click the Variants tab. The variants are the input in our script. Since we do not know the format in which eCATT needs the input values, it is helpful to download it first. To do this, select External Variants/Path and click Download Variants. A text file is now created under the appropriate path, containing the desired format with the input parameters. Open the data with Microsoft Excel and set your target value list. To do so, delete the line *ECATTDEFAULT. In the VARIANT column, you can simply use a sequential numbering. Save the file in text format, not in any Excel format.
Authorization concept - user administration process
After these preparations, we now proceed to the expression of the User-Exit in the validation that has just been created. To do this, you copy the User-Exit definition in the created custom programme, specify a name for the User-Exit definition (e.g. UGALI) and create a new text element.
The changes made by inserting the note or upgrading to the above support packages do not only affect the SAP_ALL profile. While it remains possible to assign the full RFC_SYSID, RFC_CLIENT, and RFC_USER permissions in principle; However, this can only be done manually in the PFCG transaction through the dialogue maintenance of the fields. In this case, another dialogue box will open, indicating the security risk. You must confirm this window. From this change of behaviour of the SAP_ALL profile, it follows that all automatic methods for taking over the overall authorisation are no longer available in the fields of the S_RFCACL authorization object.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
You can also remove customer-specific organisational levels and convert them to a simple permission field.
Which users have a specific role (PFCG)? To answer this question you start with the transaction PFCG - the mother of all transactions in the environment of SAP roles and authorizations.