What are SAP authorizations?
SAP authorizations: Recommendations for setting up, monitoring and controlling
You would like to revise your authorisation concept and tailor SAP roles only to the productive processes. We show you how to use the statistical usage data from the Workload Monitor for the SAP role definition. One of the biggest effort drivers in redesigning SAP role concepts is the definition of transactional expression of SAP roles. By using the statistical usage data from the workload monitor, you can avoid costly coordination with process managers in the sense of a Green Field Approach. In this way, you can tailor your SAP role concepts to the content of the usage behaviour. The only requirement is that the data be available for a representative period. This is two months in the SAP standard; You can also extend this time period. Below we describe how you can use the statistical usage data from the Workload Monitor for the SAP role definition.
You use Central User Management and wonder why you still need to evaluate the licence data individually in the attached systems. This does not have to be the case, because a central evaluation is possible! There are licence fees for using SAP systems, and you need SAP licence keys. The amount of your licence costs will be determined during the current operation, depending on the number of users and the features used in the SAP software. The survey programme (transaction USMM), the results of which you transmit to SAP, serves this purpose. Not only the number of users is relevant, but also their classification, the so-called user types. You assign these to the user via the transaction SU01 or the transaction SU10 (Licence Data tab). Alternatively, you can let the user inherit the user type of a reference user or classify it via an associated role. This is done by analogy when you use the Central User Administration (ZBV). So far, there has been no central evaluation of the data of all systems connected to the ZBV. Now this has changed, and we'll show you how you can use this analysis.
Add New Organisation Levels
You will find all the user favourites of a system in the SMEN_BUFFC table; additionally there is the table SMEN_BUFFI, in which the links from the favourite lists are stored. You can simply export this table to Microsoft Excel and then evaluate it. At this point, however, we would like to point out that you may not evaluate the favourites without prior consultation with the users, because the stored favourites are user-related and therefore personal data. The SMEN_BUFFC table contains various fields that determine the structure of the placed favourites. For example, you can create folders in your favourites to sort them. This folder structure can also be found in the SMEN_BUFFC table. However, the entries themselves that you will find in the REPORT field are important for the re-creation of a permission concept. The REPORTTYPE field tells you whether the entry in question is, for example, a transaction or a Web-Dynpro application. In the TEXT field, if required, you will find the description of the favourite entry. In addition, you should also pay attention to the TARGET_SYS field, since favourites can also be entered for other systems, in this case an RFC target system is entered under TARGET_SYS.
System users are also intended for anonymous access. They are used in technical operations that require a user, such as batch runs or RFC connections. With them, therefore, no dialogue login is possible on the SAP system, but only the login via RFC call. Multiple logins are always possible for a system user, and the password modification rules (see also the explanation under "Service Users") do not apply. The password of a system user always has the status Productive and can only be changed by the user administrator.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
Some useful tips about SAP basis can be found on www.sap-corner.de.
I recently discussed the special features of this in the article "SAP Authorizations Mass Maintenance Single Role Assignments in Composite Roles per Function Module (FuBa) or Transaction Code", but here I would rather discuss the roles and assignment of authorization object field values in role maintenance with the PFCG for an authorization overview.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
One way to maintain suggestion values is to use the system trace, which is linked to the transaction SU24 after inserting the support package named in SAP Note 1631929 and the correction instructions.