Centrally review failed authorisation checks in transaction SU53
Retain the values of the permission trace to the role menu
We recommend you to transport all these changes. Basically, you should always make changes to organisation levels on your development system and then transport them. If you use multiple clients, you should note that the organisation levels and the proposed permissions are client-independent data, whereas the roles and profiles in question are client-dependent. If you are using more than one client, you must also run the PFCG_ORGFIELD_ROLES report in the other mandates to determine the roles that the new organisation level will contain. With the help of this report, you must then rearrange all the roles listed in the Status column: Orgebene in Role are indicated in red. You can select these roles and then use the Reduce in Roles button to adjust them to the new organisation level.
Thus, after evaluation, you can select all SAP hints with the status to implement and load directly into the Note Assistant (transaction SNOTE) of the connected system. This is only possible for a development system and if the SAP Solution Manager can use an appropriate RFC connection to the connected system. You should also consider the security advisories that apply to applications that are installed on your system but that you do not use productively. These vulnerabilities can also be used for an attack.
Basics SAP Authorizations including Fiori - Online Training
Once the programme implementation and documentation have been completed, a functional test will always follow. A corresponding eligibility test should not be forgotten. The permission test must include both a positive and a negative permission test.
So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.
Insert SAP Notes 1656965 and 1793961 into your system. With these hints, the report RSUSR_LOCK_USERS is delivered or extended. This report supports automatic selection and blocking of inactive users. To do this, you have to select the criteria in the selection screen of the RSUSR_LOCK_USERS report, according to which you want to lock or invalidate users. You can determine the choice of users by using various criteria. It is recommended to take into account the period since the last login in the Days since last login field and the password status in the Days since password change field. You have the option to check the result of the selection and view the users found. To do this, select the Test of Selection action in the Select Action pane. You can also choose between the User Lock-outs (Local Lock-outs) and User Unlock (Local Lock-outs) actions in this area. You can set the end of a user's validity by clicking the corresponding options for "today" or "yesterday". Note that you can only set the validity for current users.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
These include defining the ZBV landscape, i.e. defining the central system and subsidiary systems, adjusting the distribution parameters and transferring users from the subsidiary systems to the central system.
In the Output pane, you can view the change documents of a remote subsidiary system, or in the Selection Criteria pane, you can restrict the change documents for the central system (transmit system) or only for specific daughter systems.