Consolidate user-level role mapping
Best Practices Benefit from PFCG Roles Naming Conventions
Anyone who owns valuable personal property assumes responsibility for it - just like a landlord, for example. He decides whether changes need to be made to the building, whether privacy hedges need to be planted in the garden or whether superfluous old appliances need to be disposed of and, if necessary, has a new lock installed immediately if the front door key is lost. He may forbid visitors who are not relatives to enter the bedroom or the daughter to have a public party in the house.
If you do not encrypt communication between the client and the application servers, it is surprisingly easy for a third party to catch the username and password. Therefore, make sure you encrypt this interface! There is often uncertainty as to whether the password in SAP systems is encrypted by default and whether there is encryption during communication between the client and application servers by default. This ignorance can lead to fatal security vulnerabilities in your system landscape. We would therefore like to explain at this point how you can secure the passwords in your system and protect yourself against a pick-up of the passwords during transmission.
Role Management
First, select the authorization object that you want to maintain. There can be multiple permissions for each authorization object. Then load the trace data by clicking the Evaluate Trace button. A new window will open again, where you can set the evaluation criteria for the trace and limit the filter for applications either to applications in the menu or to all applications. Once the trace has been evaluated, you will be presented with all checked permission values for the selected authorization object. With the Apply button, you can now take the values line by line, column by column, or field by field. In the left part of the window, you will see the permission values added to the suggestion values already visible. After confirming these entries, you will be returned to the detail view of your role. You can see here the additions to the permission values for your authorization object.
When programming your permission check, always check the SY-SUBRC return code and define what should happen in the event of a non-successful permission check, i.e. if SY-SUBRC is not equal to 0. In most cases, an error message occurs and the programme is cancelled.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
This simplifies the later maintenance in the IMG structure.
The RDDPRCHK report allows you to enable table logging for multiple tables; however, it is not possible to disable logging on multiple tables.