Equal permissions
FAQ
Locking and validity of the user account is done through the user administrator and is also valid for other authentication procedures. This means that a login via SSO is not possible for an invalid user or a user with administrator lock. We therefore always recommend that you prevent access to the system by setting the validity of users. Setting validity on assigned roles also prevents the user from performing actions in the system, but does not generally prevent them from logging in.
Transaction SE63 allows you to translate a variety of text in the SAP system. You can find the texts relevant to the permission roles by going to the Translation > ABAP Objects > Short Texts menu. In the Object Type Selection pop-up window that appears, select the S3 ABAP Texts node and select the ACGR Roles sub-point. You can now select the role in the following screen. You must note that the system expects the client to be prefixed, and the next step allows you to maintain the chunk in the target language. The variable AGR_TEXTS 00002 corresponds to the description of the role and the variable AGR_HIERT_TEXT 00001 corresponds to the description of the transactions contained therein. After you have saved the entry, the description of the role is also maintained in the target language, in our example in the English language and visible after the login. Select the source language correctly in the field.
Preventing sprawl with the workload monitor
Transaction PFCG also offers you the option of automatically collecting permissions. Not every transaction entered into a single role via a role menu necessarily needs its own permission entry in the permission tree, because some transactions have identical or similar permission proposal values.
So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.
TMSADM: The user TMSADM serves the communication between SAP systems in the transport management system and is automatically created in the client 000 when they are configured. TMSADM only has the permissions to access the common transport directory, view in the change and transport management system, and the necessary RFC permissions. Safeguard measures: Change the user's passwords in each client. There is the report TMS_UPDATE_PWD_OF_TMSADM, which you have to start in the client 000. This is only possible if you have administrator privileges on all systems in the landscape and the password rules of the systems are compatible. After the report has been successfully passed, all TMSADM users of the landscape in the client 000 and their destinations have the same new password.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
For the evaluation of the security advisories, you should define a monthly security patch process.
In this part, the concentration is on a deeper level, namely directly in the SAP® system.