Lack of definition of an internal control system (ICS)
Authorization concept - recertification process
Trace after missing permissions: Run the System Trace for Permissions (ST01 or STAUTHTRACE transaction) to record permission checks that you want to include in the role (see Tip 31, "Optimise Trace Evaluation"). Applications are logged through the Launch Permissions checks.
You must set up a message class for later use. To do this, you will be prompted automatically when the transaction GGB0 is first called. If some relevant fields of the complete document are hidden, i.e. not available, please refer to the instructions in the SAPHinweis 413956. Set up validation in the GGB0 transaction (such as GALILEO) and determine the steps of validation. In the validation process, copy the RGGBR000 programme into your Customer Name Room, replacing the last three characters with the number of the client in which the validation will be performed. Then assign your new customer-owned programme with the GCX2 transaction to the GBLR user exit control workspace. This assignment has created the prerequisite for client-dependent user exits. If you want to set up a client-independent user exit, do the same, but use the transaction GCX1.
Define S_RFC permissions using usage data
In addition to SAP book recommendations on SAP authorizations, I can also recommend the books from Espresso Tutorials such as "SAP Authorizations for Users and Beginners" by Andreas Prieß * or also the video tutorial "SAP Authorizations Basics - Techniques and Best Practices for More Security in SAP" by Tobias Harmes. Both are, among other media, also included in the Espresso Tutorials Flatrate, which I have also presented in more detail under SAP Know How.
The freeware Scribble Papers is a "note box" in which all kinds of data can be stored. It takes in typed texts as well as graphics and entire documents. The data is then organised in folders and pages.
In the simulation overview you will now receive all the information you already know from the authorisation maintenance in the transaction PFCG. The results are presented in a table where each row corresponds to a value interval of a permission. The Object column specifies the authorization object. Use the Active/Inactive column to determine if the permission has been disabled. The Maintenance Status and Update Status columns provide information about the status of the permission and how the permission has been updated. In the Permissions Comparison column, you can find out what exactly changed on the permission, such as whether a permission has been deleted or added anew, or whether the field values in the permission have been updated. You can find information about the field values in the Value Comparison column, which shows whether values have remained the same, whether they have been added or deleted. The values that were actually deleted and added can be seen in the columns from Value to Value (see figure next page). Please note that this is only a simulation. You must still perform the actual mixing process in the permission maintenance. Because reel mixing is not only a factor in upgrade work, the transaction SUPC also provides the ability to call this simulation mode. In the overview of the selected rolls you will find the button Mix which simulates the mixing process.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
With the Apply button, you can now take the values line by line, column by column, or field by field.
As described in Tip 22, "Application Solutions for User Management in SAP HANA", there are different application scenarios where the permission assignment on the HANA database is required.