Schedule PFUD transaction on a regular basis
An SAP security check focuses in particular on the assignment of authorizations. This is what enables users to work with the SAP system in the first place, but it can, under certain circumstances, unintentionally add up to conflicts over the separation of functions or even legally critical authorizations. For this reason, tools for technical analysis must be used regularly to provide the status quo of authorization assignment and thus the basis for optimization.
Standard users such as SAP* or DDIC should also be implemented correctly in accordance with the authorization concept or SAP's recommendations. An important preparatory action here is to check whether the passwords have been changed for all standard users.
By correcting SAP Note 1692243, you can now also use the report in a ZBV (Central User Management) environment; It is no longer limited to individual clients. If the role assignment of the ZBV in the SCUM transaction is set to global, it is sufficient if the correction is recorded in the central client. Then it is only possible to execute the report in the central client. Furthermore, you have the option to select the ZBV's subsidiary systems from the Receive System drop-down box in such a way that only the systems in which the role assignment is to be consolidated or deleted are taken into account. In the results list of the consolidated role assignment, you will now be listed in the ZBV-System column the subsidiary systems where consolidation or deletion took place.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
The general SAP authorizations are used most often and for many things they are sufficient. For example, if only the HR department has access to the SAP HCM system. However, if other users come onto the system and you only want to allow them access to a limited number of personnel, then in the case of the general authorizations you have to deal with the organization key of infotype 1 (VSDK1), which must be hard-coded into the authorization roles. If ESS/MSS or Manager Desktop etc. now come into play, however, this means a large number of authorization roles, namely a separate one for each manager. This makes maintenance and servicing very time-consuming and your authorization concept becomes opaque, which in turn brings the much-quoted auditor onto the scene.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
This correction is also important because it fixes runtime problems when releasing role transports, resulting from the correction in SAP Note 1614407.
Now, if a user attempts to execute a report (for example, by using the KE30 transaction), the user's permissions for that authorization object are checked.