Context-dependent authorizations
Law-critical authorizations
We therefore recommend that you schedule a background job on the PFUD transaction, which performs a regular user comparison (see Trick 17, "Schedule PFUD transaction on a regular basis"). By the way, did you know that the auth/tcodes_not_checked profile parameter enables you to disable the transaction startup permissions for the SU53 and SU56 transactions? To do this, enter the value SU53, SU56, or SU53 SU56 for the profile parameter. This means that the end user no longer needs the permissions to run these transaction codes from the S_TCODE authorization object.
In the SU22 transaction, the developers of an application maintain the proposed values for all required authorization objects; the authorisation trace helps in this. As described in SAP Note 543164, the dynamic profile parameter auth/authorisation_trace of the trace is set to Y (active) or F (active with filter). By inserting the SAP Notes 1854561 or the relevant support package from SAP Note 1847663, it is possible to define a filter for this trace via the STUSOBTRACE transaction, which you can restrict by the type of application, authorization objects, or user criteria.
Grant permission for external services from SAP CRM
Typically, users access a table's data through applications rather than directly. If so, you should take precautions and restrict access to sensitive data. End users typically do not access table-level data directly, but the data is displayed in business applications and their display is restricted in context by means of entitlement checks. However, there are cases where generic access to tables via the SE16, SE16N, SM30, SM31 or SM34 transaction is required for administrators, key users, verifiers, etc. For example, a verifier should have read access to all customising tables. However, you do not want to display security-related tables. Key users should be able to access certain reports regularly, but only read information relevant to their work. There are several ways to restrict access to tables by using table tools. This means that users can only access tables or table contents that they want to see. However, we would like to point out that the granting of permissions for these tools in the production environment is considered to be critical to security, since it is very easy to allow access to large amounts of sensitive data in the case of erroneous or excessive permissions. Therefore, only apply these permissions in a restricted way.
In order to be able to act fully at all times in emergency situations, an SAP emergency user must be available who has all authorizations for the entire SAP system (typically by means of the composite profile SAP_ALL). However, this not only makes him a great help, but also extremely dangerous, so that his use must be precisely regulated via a dedicated concept.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
However, you must be careful not to mark all fields of the objects, otherwise direct access is also possible.
If you have an older SAP NetWeaver release than 7.00 installed, only two possible values for the customising switch BNAME_RESTRICT are available after the implementation of SAP Note 1731549.