In the transaction, select SU10 by login data of users
Data ownership concept
SAP Note 1720401 extends the SU10 transaction (mass maintenance of users) with the previously missing option to select users by login date and password changes. The notice adds these features to the RSUSR200 report. This report can also be executed directly using the transaction SU10 and the corresponding permission. After the hint has been inserted, the transaction SU10 will be expanded to include the login data button.
The assignment of the SAP_ALL profile is not required for the operation of an SAP system; therefore, a yellow icon will appear for the first check once a user has assigned the profile. For the other six checks on critical base permissions, the yellow icon will be displayed when a client is found on the system and at least one of the following two conditions applies: More than 75 users have the permission checked in this check. More than 10% of all users have the permission checked in this check, but at least 11 users.
Check and refresh the permission buffer
It is very important that critical authorizations are generally subject to a monitoring process in order to be able to ensure that they are assigned in a productive system in a very restricted manner or not at all. Law-critical authorizations in particular, such as deleting all change documents, debugging ABAP programs with Replace, and deleting version histories, must never be assigned in a production system, as these authorizations can be used to violate the erasure ban, among other things. It must therefore be ensured that these authorizations have not been assigned to any user, not even to SAP® base administrators.
A manual comparison of role texts in an SAP system landscape with ZBV is very annoying. You can also automate the sync. I'm sure you know this. When creating or maintaining users in the Central User Administration (ZBV), you must manually start the text matching each time before assigning PFCG roles to provide you with the latest PFCG role definitions. Managing a large system landscape with many systems in your ZBV - including development, test and production systems - the text comparison can take a while.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
The goal of an authorization concept is to provide each user with the appropriate authorizations in the system individually for their tasks according to a previously defined rule.
Think of it as a blueprint or a flow rule for how to create new derived roles.