Permissions with status
Customise Permissions After Upgrade
Wildgrowth of characters used in user IDs can have negative effects. Set a bar on it by limiting the character set in the first place. In the SAP system, depending on the release of the SAP_BASIS software component, you can create users whose names may contain "alternative" spaces. In Unicode systems, there are different spaces, which are represented by different hexadecimal values. The usual space has a hexadecimal value of 20, but there are alternative spaces (wide spaces), which can be recognised, for example, as double width or not at all as character spacing. You can use these alternate spaces when entering the user ID by pressing the Alt key. For example, the key combination (Alt) + 0160 can create a space with a non-breaking space. You can also create a user whose ID consists only of alternate spaces. Users with such IDs will write all change documents, but the IDs can still cause confusion if, for example, they are not recognisable as a user ID or if it appears that no user is displayed for the change document. In addition, certain special characters may cause problems in other applications (e.g. in transport management). Therefore, we will show you how to prevent such problems by limiting the character set.
Please note that depending on the results of the RSUSR003 report, a system log message of type E03 is generated. If a critical feature (stored in red) is detected, the message text"Programme RSUSR003 reports ›Security violations‹"is written into the system log. If no critical feature has been detected, the message"Programme RSUSR003 reports ›Security check passed‹"will be displayed instead. This message is sent because the password status information of the default users is highly security relevant and you should be able to track the accesses. You can grant the User and System Administration change permissions for the RSUSR003 report, or you can grant only one execution permission with the S_USER_ADM authorization object and the value CHKSTDPWD in the S_ADM_AREA field. This permission does not include user management change permissions and can therefore also be assigned to auditors.
Important components in the authorization concept
Describing all configuration options would exceed the scope of this tip. If you need explanations about a customising switch that are not listed here, look for the relevant note about the SSM_CID table. All settings described here can be made via the transaction SM30. You must consider that all settings in the SSM_CUST, SSM_COL, and PRGN_CUST tables are client-independent; only the settings of the USR_CUST table depend on the client.
The maintenance status of permissions in PFCG roles plays an important role in using the Role Menu. The Maintenance Status allows you to determine how the authorization object entered the role and how it was maintained there. The blending function of role maintenance credentials in the PFCG transaction is a powerful tool that helps you with role processing. If the Roll menu has been changed, the Mix feature will automatically add the permissions suggestions that are included in a single role. This is based on the proposed authorisation values defined in the transaction SU24, whose maintenance status is standard in the authorisation maintenance. These permission values are also called default permissions. Permissions with different maintenance status, i.e. Care for, Modified or Manual, are not changed during mixing - the exception is removing transactions.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
In such a case the last error is displayed in SU53 or the display is empty.
For simplicity, you can now copy the lines that use the Person (P) object.