Structural authorizations
Law-critical authorizations
Transaction PFCG also offers you the option of automatically collecting permissions. Not every transaction entered into a single role via a role menu necessarily needs its own permission entry in the permission tree, because some transactions have identical or similar permission proposal values.
The ABAP authorization concept protects transactions, programs and services in SAP systems against unauthorized access. Based on the authorization concept, the administrator assigns authorizations to users that determine which actions a user is allowed to perform in the SAP system after logging on to the system and being authenticated.
Service User
In general, we recommend you to use strong encryption mechanisms and to switch most users to an SSO login. You should then delete the hash values of the user passwords as described above. For release-dependent information on SNC client encryption, see SAP Note 1643878.
In the course of a comprehensive protection of your system from the inside as well as from the outside it is indispensable to have a closer look especially at the SAP standard users. They have far-reaching authorizations that can cause great damage to your system if misused. It should be noted that they are very important for the operational execution of your SAP system and must not be deleted. However, since the associated standard passwords can be quickly researched, they must be changed immediately after delivery of the SAP ERP. You can perform a detailed check of these users using report RSUSRS003. It is also recommended to set certain default users inactive until they are actually used.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
Behind this RFC connection is a Trusted-RFC connection in the ERP system of the system landscape with the naming convention *_RFC.
Applications are logged through the Launch Permissions checks.