Restrict Application Server Login
Maintain table permission groups
As the rolls pass, the value ranges for the field in question are searched within a role. Automatic cleanup occurs by writing both value ranges together in all fields. Therefore, you should clean up these entries before you start and create two different roles if necessary. The PFCG_ORGFIELD_CREATE report provides a test run that allows you to identify all the affected roles. The Status column provides an overview of the status of the permission values. If the status is yellow, there are different value ranges for the field within the role; the role must therefore be adjusted.
The setting of the modification flag used to determine the proposed values to be matched is imprecise. Learn about a new process that uses timestamps. Upgrade rework for suggestion values and roles must be performed not only upon release change, but also after inserting plug-ins, support packages, enhancement packages, or other software components, such as partner solutions. These rework can be complex if the underlying selection of proposed values cannot be restricted. Therefore, a new procedure has been introduced in the transaction SU25, which restricts the proposed values to be compared using a time stamp.
Authorization tools - advantages and limitations
For even more extensive operations on jobs, there must be an authorization for object S_BTCH_ADM, in which the field BTCADMIN (identifier for the batch administrator) has the value 'Y'. This allows cross-client operations on any job. S_BTCH_ADM with value 'Y' thus also contains the objects S_BTCH_JOB action * and S_BTCH_NAM and S_BTCH_NA1 with user/program = *. Therefore, this is a very critical authorization because it allows an identity change. With the changes mentioned in note 1702113, the S_BTCH_ADM object can be used to restrict the authorization assignment more precisely.
In such a case the last error is displayed in SU53 or the display is empty. Then you can't avoid analyzing the error message of the transaction. One more tip in the end: Instruct the user to take the screen shot with
, this will put the whole active window on the clipboard and you can see which transaction, system and context of the transaction it is. Smaller "SnagIt "s are mostly useless and lead to unnecessary queries.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
This allows you to check the roles in which the selected applications are used.
SAP FI has direct interfaces to other modules, such as HR or SD.