Authorization tools - advantages and limitations
Controlling permissions for the SAP NetWeaver Business Client
You use the RSUSR010 report and you do not see all transaction codes associated with the user or role. How can that be? The various reports of the user information system (SUIM) allow you to evaluate the users, permissions and profiles in the SAP system. One of these reports, the RSUSR010 report, shows you all executable transactions for a user, role, profile, or permission. Users of the report are often unsure about what this report actually displays, because the results do not necessarily correspond to the eligible transactions. Therefore, we clarify in the following which data are evaluated for this report and how these deviations can occur.
User trace - Transaction: STUSERTRACE - With the transaction STUSERTRACE you call the user trace. Basically, this is the authorization trace (transaction STUSOBTRACE), which filters for individual users. So you can call exactly the authorization trace and set the filter on a user. As with the authorization trace, the profile parameter "auth/authorization_trace" must be set accordingly in the parameter administration (transaction RZ10).
Deletion of change documents
The first two problems can be solved by inserting the correction from SAP Note 1614407. The profile data will not be added to the bill of materials at the time of the roll recording but only when the transport order is released. This ensures consistency between the role's permission data and its profile data. The shared transport job also contains the complete history of changes to the profiles and permissions, so that obsolete data can also be deleted in the target systems.
DDIC: DDIC is the only user able to log in or make changes to the ABAP Dictionary during installations and release changes. It is also used in the client 000, e.g. for certain jobs or Unicode conversions. DDIC exists in all clients except 066. Safeguard measures: In all systems (except for client 000 due to upgrade features), set DDIC to the System user type. If necessary, you can switch it back to a dialogue user using the Emergency User. Change the password, assign the user to the SUPER user group, and log it with the Security Audit Log.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
The PFCG_ORGFIELD_DELETE report also provides a value aid that shows only the customer's organisational levels.
The better these values are maintained, the less effort is required to maintain the PFCG roles (see figure next page).