Get an overview of the organisations and their dependencies maintained in the system
When the auth/authorisation_trace parameter is turned on, external services are written to the USOBHASH table and permission checks are logged in the USOB_AUTHVALTRC table. You can now use the contents of this table to apply the checked objects and values from the trace to the suggestion values in the transaction SU24. Because it is a dynamic profile parameter, it is reset when the application server is launched. Now open the transaction SU24 and you will find your own UIK component as an external service. Double-clicking on this service will tell you that no suggestion values have been maintained there. You can apply these suggested values from the USOB_AUTHVALTRC table. Here you should at least maintain the UIU_COMP authorization object so that this information is loaded into the PFCG role as soon as you include the external service in your role menu.
This approach makes authorization management considerably more efficient, since functional changes do not have a global impact on the entire authorization structure. This ensures the quality of authorizations in the long term. Authorizations in SAP systems enable users to access the applications relevant to their activities. To ensure that processes are mapped securely and correctly, SAP authorizations must be regularly checked and reworked.
What to do when the auditor comes - Part 2: Authorizations and parameters
After activation, advanced security checks are available in the usual development environment within the ABAP Test Cockpit. The ABAP Test Cockpit is a graphical framework for developers. Various test tools, such as the Code Inspector or the SAP Code Vulnerability Analyser, can be integrated into this. All available test tools can be initiated from this central location and present their results in a common view. No training is required to intuit the tool.
If you want to cancel, share, or reset other users' jobs to scheduled status, you must have permission for the S_BTCH_ADM object with a value of Y. Alternatively, you can also grant the JOBACTION = MODI and JOBGROUP =
permission for the S_BTCH_JOB object. The MODI promotion was introduced with SAP NetWeaver AS ABAP 7.00 or can be recorded via SAP Note 1623250. The following illustration shows an example of how the JOBACTION = MODI privilege is expressed for the jobs of the users listed under JOBGROUP.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
SAP_NEW represents a specific permission profile that summarises the concrete permission changes between two SAP release levels.
Thanks to the new feature provided with the Support Package mentioned in SAP Note 1847663, it is possible to use trace data from the privilege trace in the SU24 transaction for suggestion value maintenance.