Define security policy for users
General considerations
If there are no buttons for copying and pasting in the PFCG transaction, you can simply insert them. Only seven lines are displayed in the dialogue box to maintain field values to properties in transaction PFCG. Up to now it was not possible to insert more than these seven lines at once from the clipboard. However, this may often be necessary in the context of the maintenance of permissions, for example if you want to use entries from other roles. Read how to copy and paste the buttons in the dialogue box to maintain field values to the authorization objects.
There are many advantages to using an authorization tool for companies. These include: - Managing authorization requests - Distributing and assigning authorizations - Auditing authorizations - Developing authorizations. With the help of authorization tools, it is possible, for example, to drastically reduce the effort required for role creation and authorization management through concrete assignment of SAP system roles.
Implementing the authorization concept in the FIORI interface
In principle, the SAP_NEW permission should not be granted in the production system. The Profiles tab displays the generated profiles in the user master record that are associated with a specific user. Here you can also assign manually created permission profiles from the transaction SU02 - even without direct role mapping. In principle, the recommendation is to use the profile generator (transaction PFCG) to generate authorisation profiles automatically. Special caution is taken when you enter generated permission profiles directly on the Profiles tab, as these assignments will be deleted by matching user assignments with the transaction PFUD if no entry is on the Roles tab for the assignment. You have probably assigned SAP_ALL and SAP_NEW to users for whom there should be no restrictions in the SAP system. But what are these two profiles different from each other and why are they necessary?
Check to see if there are any corrective recommendations to follow for your release. We recommend that you run the SU24_AUTO_REPAIR correction report before executing the transaction SU25 (see tip 38, "Use the SU22 and SU24 transactions correctly"). If necessary, run this report in the old lease, but in any case before importing the new proposal values. Use the test mode of the report to look at possible corrections in advance. In addition, to ensure that you do not lose information with your upgrade work, you can write and release the data from the SU24 transaction on step 3 (customer table transport) in the SU25 transaction to a transport order. This way, a backup of your SU24 data is made. Now the upgrade work can begin. Warning: Do not perform step 1 (customer tables were initially filled), because this overwrites the USOBT_C and USOBX_C customer tables, i.e. the SU24 data, completely with the SAP suggestion values. However, you want to keep your SU24 data and add to the proposed changes for the new release!
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
Cybersecurity is a broad field.
Each SAP transaction is equipped with the required authorization objects in SU24, which control access to specific functions within the respective program.