Activity level
Permissions with Maintenance Status Changed or Manual
Certain SAP authorizations, including those for table maintenance (S_TABU_*) require special attention for data protection reasons. These are known as critical authorizations. In the course of authorization planning, a company should determine which authorizations are to be considered critical, which roles may receive which critical authorizations or values for critical authorization fields, and so on. The German Federal Office for Information Security has compiled detailed information on defining critical authorizations.
The valid programmes or transactions are stored in the SAP TPCPROGS delivery table, but do not follow a uniform naming convention. Part of the transaction code (e.g. AW01N), part of the report name (e.g. RFEPOS00), or the logical database (e.g. SAPDBADA) is relevant here. Logical databases (e.g. SAPDBADA, SAPDBBRF) are basic data selection programmes and are particularly used in financial accounting. The permission checks, including the time period delimitation, are implemented in the logical database and work for all reports based on a logical database (e.g. the RAGITT00 grid is based on SAPDBADA and the RFBILA00 balance sheet report is based on SAPDBSDF). When you copy the values from the TPCPROGS table, the TPC4 transaction is quickly configured.
SIVIS as a Service
If you want to export the movement data of the productive system to a development system, you should first export user master records and the permission proposal values and archive the complete change documents. After importing, you can then delete the imported change documents, in analogy to the client copy, and then reload and index the original change documents of the development system. The activities described here require administrative permissions for the change documents (S_SCD0 and S_ARCHIVE) and, if applicable, for the table logs (S_TABU_DIS or S_TABU_NAM and S_ARCHIVE). These permissions should be considered critical, and you should assign them to a small circle.
So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.
With the help of the SAP-Note 1642106 it is possible to automatically perform the text comparison from SAP NetWeaver AS ABAP 7.0. Inserting the note will automatically perform text matching for any changes to PFCG roles in the central system. We recommend that you install the support package that is appropriate for your release, which is specified in the SAP Note, because inserting the hint requires a lot of manual work. With the help of the SUSR_ZBV_GET_RECEIVER_PROFILES report, you can turn on the new functionality in all subsidiary systems where the correction information has also been recorded. If you run the report in the central system with the default selection, all subsidiary systems are included. You can check whether the function is present in the daughter systems in the report log.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
Once the programme implementation and documentation have been completed, a functional test will always follow.
It controls external access to RFC function blocks independently of users or roles and can be configured to suit your needs.