Define S_RFC permissions using usage data
Unclear objectives and lack of definition of own security standards
Administrative activities are used to control system behavior and make various security-relevant settings. To minimize the risk of a system failure or the creation of a security vulnerability, administrative rights should only be granted to employees in the basic administration. The following list may be supplemented by suggestions from the company's own administration. It contains only the most important authorization objects for each subject area.
For accesses by verifier users (from the table TPCUSERN), the selection parameters of the invoked transaction are logged in the application log and can be evaluated with the report CA_TAXLOG. In the example, the single ledger entry for the vendor account 100000 was invoked.
Retain the values of the permission trace to the role menu
A far more elaborate way is the identification via the business roll customising. Here you first identify the technical name of the area start page or the logical link in the customising of your business role in the CRMC_UI_PROFILE transaction. If you have an area start page, check the technical name of the corresponding logical link. The next step is to switch to the navigation bar customising in the transaction CRMC_UI_NBLINKS and identify to the technical name of your logical link the corresponding target ID in the View Define logical link. If you use the target ID as the search parameter in the CRMC_UI_COMP_IP table, you will get the information about component name, component window, and inbound plug as the search result.
Finally, you can extend your implementation of the BAdIs BADI_IDENTITY_SU01_CREATE and pre-enter additional fields of the transaction SU01. To do this, complete the appropriate SET_* methods of the IF_IDENTITY interface. For example, it is possible to assign parameters that should be maintained for all users, assign a company, or assign an SNC name.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
Here you can change all filter settings, but not the number of existing filters.
Note that the global check variant of the Code Inspector that you created in the transaction SCI and that is entered as the default in the transaction ATC (ATC configuration) includes the security tests of the extended programme check of the SAP Code Vulnerability Analyser.