Development
WHY ACCESS CONTROL
No more users can be created, maintained or deleted without the assignment of a valid user group. If a user group is not assigned when a user is created, the user is automatically assigned the default user group. Before you set the USER_GRP_REQUIRED switch, a user group must have been assigned to each existing user and the administrators must have the permissions for the default user group. When creating a new user, the default user group will be used as pre-occupancy; this user group can be overridden by setting another user group in the S_USER_GRP_DEFAULT user parameter for each user administrator. The customising switch requires a valid user group, because it is used as the default user group. If a valid user group has not been entered in the customising switch, the user group is nevertheless a mandatory field. This will lead to errors in automated user creation.
You can translate text blocks in permission roles individually using the SE63 transaction. If you need to translate many roles, there are also automation options that we present here. There are several scenarios in which it becomes interesting to translate the texts of permission roles, for example, if your company is acting internationally. Also, you may have taken over a third party company and the SAP systems used there, or you may want to simplify the SAP system landscape by combining different divisions in one system. In all of these cases, you must standardise or translate the texts of the authorisation roles. For pure translation, you can use the transaction SE63, which we explain in the first section of this tip. In general, however, you will need to translate a large number of role texts in these scenarios; Therefore, in the second section we will explain how you can automate the translation using the LSMW (Legacy System Migration Workbench) transaction and will discuss how to set up a custom ABAP programme.
Use Custom Permissions
Existing log files are managed using the SM18 transaction. Here you can delete the log files in all active instances. This requires the indication of a minimum age in days for deletion. The smallest possible value is three days, without taking the current day into account in the calculation.
Please note that depending on the results of the RSUSR003 report, a system log message of type E03 is generated. If a critical feature (stored in red) is detected, the message text"Programme RSUSR003 reports ›Security violations‹"is written into the system log. If no critical feature has been detected, the message"Programme RSUSR003 reports ›Security check passed‹"will be displayed instead. This message is sent because the password status information of the default users is highly security relevant and you should be able to track the accesses. You can grant the User and System Administration change permissions for the RSUSR003 report, or you can grant only one execution permission with the S_USER_ADM authorization object and the value CHKSTDPWD in the S_ADM_AREA field. This permission does not include user management change permissions and can therefore also be assigned to auditors.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
However, this was only possible for FI with additional programming.
You want to document internal system revisions and authorisation monitoring? The new cockpit of the Audit Information System offers you some practical functions.