Maintain authorization objects more easily
Authorizations in SAP BW, HANA and BW/4HANA
The case that the user buffer is not up to date is very rare. The auth/new_buffering profile parameter sets the value 4 to immediately update the permissions, i.e. changes to the user root or roles or profiles, and write them to the USRBF2 database table without requiring a new login. This value is set by default. The fact that the buffer is not up-to-date is recognised by the fact that existing permissions that are not in the buffer are marked in the transaction SU56 with the note "In the root data but not in the user buffer".
In SAP systems, authorization structures grow over the years. If, for example, there is a restructuring in the company or there are new organizations, there is a risk that the authorization concept no longer fits or is implemented correctly.
User trace - Transaction: STUSERTRACE - With the transaction STUSERTRACE you call the user trace. Basically, this is the authorization trace (transaction STUSOBTRACE), which filters for individual users. So you can call exactly the authorization trace and set the filter on a user. As with the authorization trace, the profile parameter "auth/authorization_trace" must be set accordingly in the parameter administration (transaction RZ10).
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
Developer and customizing authorizations represent a great potential danger in productive SAP systems. Here, authorizations must be assigned very restrictively, e.g. only to emergency users. The same applies to RFC connections from a development system to productive systems. Such connections can only be used to a very limited extent.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
If this check fails, the system also checks the authorizations for the name of the function module.
We give you a guide to record permissions checks on certain application servers, but we also show you a way to use this feature centrally.