Check the SAP authorization concept
Mitigating GRC risks for SAP systems
You can still assign roles and profiles to a user if you have the appropriate permissions to these activities. As long as no user group is associated with the user, permissions for any user group will be sufficient. If you assign a user group to the newly created user, all the checks will be repeated for that user group.
However, the authorization trace is not active by default, but must be explicitly activated via the profile parameter "auth/authorization_trace". In transaction RZ11 you can easily and quickly check if the parameter is already set. The profile parameter is set in transaction RZ10. By default, the profile parameter is active in SAP systems (profile parameter transport/systemtype = SAP) and inactive in customer systems (profile parameter transport/systemtype = CUSTOMER).
Set up permissions to access specific CO-PA measures
Confirmation of the dialogue will immediately start the recording; They therefore end up in the PFCG transaction. We want to record the creation of a single role derived from a reference role. Complete the appropriate steps in the PFCG transaction and try to avoid unnecessary steps - every step you take will make your recording bigger and less cluttered. Enter the name of the derived role - we can influence it later when playing with eCATT - and specify the role. Now assign the reference role. Note that the PFCG transaction is actually executed, so the role is actually created in the system! In the SCC4 transaction, first check whether eCATT is allowed to run. Then start the SECATT transaction. As you get started, you can define and modify test scripts and test configurations. First, create a test script. Think of it as a blueprint or a flow rule for how to create new derived roles. The test script will contain your recording later. Give the script a talking name, such as Z_MASSENGERATION_DERIVATIVES. Then click the Create Object button. You will now go to the Attribute tab, where you specify the general frame data. Then click the Editor tab. Now it goes to the recording, in the eCATT language called patterns. Click the Pattern button and specify that you want to record the PFCG transaction by selecting the UIAncontrol and TCD (Record) settings. The system will propose to call the interface "PFCG_1"; You can simply confirm this.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
For the entries in the SPTH table, note that the application defines whether a file is accessed with or without the path. For example, the related transactions ST11 (error log files) and AL11 (SAP directories) behave differently. While ST11 opens almost all files without a path (they are in the DIR_HOME directory anyway), AL11 basically uses fully specified file names with a path. An entry in the SPTH table with PATH = / is therefore misleading. It specifies that the defined access restrictions apply to all files specified by path. However, this only applies to applications that access files using a specified path. However, applications that access files without a path are not restricted; Files in the DIR_HOME directory may be excluded.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
Since SAP NetWeaver 7.02, such a feature is available, which means that you can access the data from the system trace to maintain PFCG roles.
This could be Organizational Management or Personnel Development, for example.