Hash values of user passwords
What roles does my user have (SU01)? We start with a simple question: which roles are actually assigned to your SAP user? With the transaction SU01 you can view your (or other) SAP user. Among a lot of other information, you can find the assigned single and composite roles on the "Roles" tab.
However, the preferred and more comprehensive variant of a programmatic permission check is the use of the AUTHORITY_CHECK_TCODE function block. This function block not only responds to a missing permission when the programme starts, but can also specify that only the NO-CHECK check marks maintained in the transaction SE97 allow external calling from another transaction context. This is determined by the function block and not by the developer.
The security of an SAP system is not only dependent on securing the production system. The development systems should also be considered, since here it is possible to influence the productive system via changes to be transported in the development environment and in customizing or via inadequately configured interfaces. Depending on the conceptual granularity of responsibilities in the development and customizing environment, more detailed authorization checks may need to be performed.
Over the button field maintenance also own-developed authorization fields can be created to either a certain data element is assigned or also search assistance or check tables are deposited. On RZ10.de the topic has been described in more detail including a video recording in the article "Creating Authorization Objects with SAP Transaction SU21".
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
In preparation, the documentation should therefore be checked for completeness and up-to-dateness and, in a further step, whether the process defined in it has also been followed throughout the year.
To do this, create your own table permission group for the SSF_PSE_D table and restrict programmes from accessing the
/sec directory in the file system.