Authorization concepts - advantages and architecture
Reference users are not intended to access an SAP system, but are used for authorisation administration and therefore always have a disabled password. Reference users inherit the permissions assigned to them to the users with whom the reference user is registered. For this purpose, the user buffer of the reference user is also created at login and these entries are also checked during permission checks of the inheriting user.
The customising objects you have just created are now integrated into your own IMG structure. To do this, open the SIMGH transaction again, call your structure in Change mode, and paste it under the previously created folder by selecting Action > Insert a Level Lower. You should already create a documentation of the same name with the installation of the Customising objects. To do this, select the Create button on the Document tab and write a text to save it and then activate it.
Installing and executing ABAP source code via RFC
In addition to defining permissions for external RFC access through the S_RFC authorization object, it is possible to prevent external calls to function blocks. From SAP Net-Weaver AS ABAP 7.40 there is the additional SAP Unified Connectivity (UCON) layer. It controls external access to RFC function blocks independently of users or roles and can be configured to suit your needs. All function modules that are to be executable via RFC are entered into the UCON Communication Assembly. If a function block is not stored there, the call will be blocked. UCON has been designed to minimise impact on RFC call performance. The necessary function blocks are identified in the UCON Phase Tool (transaction UCONPHTL), which constantly monitors all external RFC calls and supports an introduction of the UCON Communication Assembly. This allows calls to new function blocks (such as custom developments, support package changes) to be analysed and, if necessary, released for external access. In addition, UCON offers the possibility to review the configuration in an evaluation phase. There are approximately 40,000 RFC-enabled function blocks in an ERP system; Usually no more than a few hundred of them are used. With the use of UCON you therefore increase the security of your system.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
Use the RSUSR003 standard report (or RSUSR003 transaction) to validate the default users for initial passwords and ensure the security policies associated with those users. You can define and use your own layout on the home page. After the report is executed, you will be presented with an overview of the existing standard users in the different companies. This includes the password status, a lock flag, the reasons for the lock, the number of false logins, the user validity periods and the security policies associated with the users. The security policy appears to help you understand whether these users are subject to special login or password rules.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
To enable a user to maintain this table by using the SM30 transaction, you must maintain the S_TABU_CLI authorization object, in addition to the table permission group or specific table, as follows: CLIIDMAINT: X.
Transactional tiles: These tiles provide access to "old" transactions in the FIORI interface, or new features are stored in "old" transactions, which can then only be used in the FIORI interface, but not in the GUI interface.