Centrally review failed authorisation checks in transaction SU53
Standard authorisation
This report checks the customising of the CRM business role for which the PFCG role is to be created, and writes all area start pages and logical links to a text file in the form of external services. This text file is stored locally in the SAP folder under c:/User//SAP. On the Menu tab of the PFCG role, you can upload this text file from File by selecting Menu > Import.
In SAP systems, authorization structures grow over the years. If, for example, there is a restructuring in the company or there are new organizations, there is a risk that the authorization concept no longer fits or is implemented correctly.
Immediate authorization check - SU53
All external services for cross-navigation are stored in the role menu in the GENERIC_OP_LINKS folder. In addition to this information, this folder also contains external services that represent the already mentioned area start pages and logical links. You can delete the latter, as these are duplicates from the other folders or non-relevant external services. Now, to set up correct permissions for the non-manageable external services in the GENERIC_OP_LINKS folder, you can identify the external services you need for your CRM business role and delete all other external services. However, as I said, there is a risk that too many external services will be deleted and cross-navigation or calling the saved searches will no longer work. It is better to move the GENERIC_OP_LINKS folder to a separate role.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
The permission check for the S_PATH object is performed as described only for files corresponding to a path with a permission group in the SPTH table. In our example, you should grant permission for the S_PATH object with the value FILE in the FS_BRGRU field to access files with the path /tmp/myfiles*. Note that the authorization object only distinguishes two types of access. These two values summarise the access types of the S_DATASET authorization object. The value Modify corresponds to the values Delete, Write, and Write with Filter; the value View corresponds to Read and Read with Filter.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
This priority indicator helps you to identify whether a false positive or an actual security problem is present.
It is also important to note which mandatory functional separation must be taken into account.