Evaluation of the authorization check SU53
Customise evaluation paths in SAP CRM for indirect role mapping
For simplicity, we want to explain this example by using the PFCG_TIME_DEPENDENCY background job. This job calls the report RHAUTUPD_NEW or can be executed directly with the transaction PFUD. Imagine that there's no transactional code for this job yet.
A typical application arises when a new SAP user is requested. The data owner now checks whether the person making the request and the person to be authorized are at all authorized to do so, what data would be affected, whether an SAP user already exists to whom new roles can be assigned and old ones revoked, whether data access can be limited in time, and so on.
Use timestamp in transaction SU25
Even the best authorization tools cannot compensate for structural and strategic imbalances. Even a lack of know-how about SAP authorizations cannot be compensated for cost-effectively by means of tools.
The freeware Scribble Papers is a "note box" in which all kinds of data can be stored. It takes in typed texts as well as graphics and entire documents. The data is then organised in folders and pages.
When configuring the Security Audit Log, you must consider the storage of the files. At least one separate file is created for each day. When the maximum size of all files for the tag is reached, additional events are stopped. So you should always adjust the maximum size of the file to your needs using the parameters rsau/max_diskspace/per_file and rsau/max_diskspace/per_day. The rsau/max_diskspace/local parameter is obsolete in this case, but remains active if the other two parameters are not maintained.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
After rolling the profiles do not match your last changes? With the new features in the transport management of rolls, you can avoid such inconsistencies and connect role maintenance to the customising setting.
The user administration process, i.e. user creation, modification and deactivation, should on the one hand be available in written documented form, either as a separate document or as part of the authorization concept documented in writing, and on the other hand also be carried out in accordance with the documentation.