Set Configuration Validation
Create order through role-based permissions
We are often asked how permissions are properly assigned to schedule background jobs and manage those jobs. Just follow the guidelines below. Whenever you want programmes to run periodically at specific times without user interaction, or when their runtime should not interfere with normal dialogue operations, schedule them as batch jobs in the background. The scheduling and editing of batch jobs is regulated by permissions, which are often not clear about their use. We therefore explain to you what permissions are necessary for and which authorization objects are important.
All external services with their suggested values can be viewed or maintained in the transaction SU24. Access to external services or all CRM functions and data within CRM functions is realised via PFCG roles. To create these PFCG roles, you must first create a role menu. To do this, run the report CRMD_UI_ROLE_PREPARE. You can specify either the name of the CRM Business Role (User Role) or the name of the assigned PFCG role. It is also important that you specify the language in which the PFCG role will be maintained in the appropriate field.
Audit Information System Cockpit
For a long time, SAP authorization consultants and ABAP developers have disagreed on how to implement authorization object characteristics in the coding. There are two positions: On the one hand, consultants advise never to test for the signal word DUMMY, the constant space or the literal ' '. These tests only superficially check for the existence of an authorization object and do not react to settings in the field specification in the profile of the roles. Moreover, the literal ' ' is then authorized because it is displayed in the transaction STAUTHTRACE. On the other hand, there are situations where development uses these superficial tests to save the user time and the machine resources. If the program determines early on that the user does not have the necessary objects in the user buffer, it may abort before the first SELECT and issue an appropriate error message. Both positions contain a kernel of truth. Let's look at the effects of different programming on a simplified example. The role(s) have only the authorization object S_DEVELOP with the field value DEVCLASS "Z*".
Every action of the emergency user must be traceable, which requires the appropriate configuration of logging components such as the Security Audit Log. After the event, all log files are always evaluated and all details are recorded in documentation. It is also possible to specify in the concept that, in the event of an emergency, extended authorization may be granted to other selected users; this is up to the company to decide.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
If the ADD_S_RFCACL entry is YES, SAP_ALL still contains the total permissions for the S_RFCACL authorization object.
The results obtained from this form an excellent basis for estimating the project scope and implementation timeframe.