How to analyze roles and authorizations in the SAP system
Object S_BTCH_NAM and S_BTCH_NA1 (use of foreign users in Steps)
Here, too, it is possible to create security and an overview with the help of tools for HR authorizations. The tool creates a clear overview of which data certain users are allowed to access in the SAP system. Based on this, it is possible to develop automatic checks that run in the background and regularly monitor whether changes to authorizations have created critical gaps in HR.
The security audit log is evaluated via the SM20 or SM20N transaction or the RSAU_SELECT_EVENTS report. We recommend using the report as you have more options to personalise the evaluation and to include archived logs of different application servers in the evaluation.
Authorization roles (transaction PFCG)
Permissions profiles are transported in the standard (since release 4.6C) with the roles. If you do not want to do this, you have to stop the data export in the source system by the control entry PROFILE_TRANSPORT = NO. The profiles must then be created by mass generation before the user logs are matched in the target system. This can be done via transaction SUPC.
However, the permission trace is a long-term trace that you can turn on using the auth/authorisation_trace dynamic profile parameter. This trace is user- and client-independent. In the USOB_AUTHVALTRC table, the trace supplements the permissions checks that were not captured before the application ran. This function can also be used for customer-specific developments. Now, go to the RZ11 transaction, enter the auth/authorisation_trace parameter name in the selection box, and click View. You will now get to the detailed view of the profile parameter with all properties and the link to a documentation. To turn the trace on, click Change Value and a pop-up window will open. Enter "Y" or "F" for filters here if you want to define a filter (see Tip 38, "Use SU22 and SU24 transactions correctly") and save your input. A warning appears informing you that the parameter value would be reset when the application server is launched.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
The website www.sap-corner.de offers many useful information about SAP basis.
If there are no permission fields or if there are too many entries, these data will be corrected in the proposal values.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
Here you can change all filter settings, but not the number of existing filters.