Authorization roles (transaction PFCG)
Prevent excessive permissions on HR reporting
Look closely at the security advisory so that you can identify the affected programmes or functions and schedule appropriate application tests. Use a test implementation in the SNOTE transaction to identify additional SAP hints that are required for a security advisory and may also contain functional changes.
Repair defective field list in SU24 suggestion values: This function verifies that all the authorization objects used in the permission proposals are consistent, that is, fit to the authorization object definitions from transaction SU21. If there are no permission fields or if there are too many entries, these data will be corrected in the proposal values.
Efficient SAP rollout through central, tool-supported management
First, the Web application developers must implement appropriate permission checks and make PFCG available for use in role maintenance in the transaction. This includes the maintenance of proposed values in the transaction SU22. The SAP Note 1413012 (new reusable startup authorisation check) provides all the necessary details.
In addition, you must note that you may not execute this report on systems that are used as a user source for a Java system. This is due to the fact that a login to the Java system will only update the date of the last login to the ABAP system if a password-based login has taken place. Other Java system login modes do not update the date of the last ABAP system login.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
In addition to the parameters listed here, the table itself must also have the table logging hook set; This is usually done with the help of the transaction SE13.
Besides if the default values from the SU24 still have open fields and here entries have been made, a MAINTENANCE appears next to the berechitgungsobjekt and with manually added authorization objects a MANUAL.