Using eCATT to maintain roles
Consolidate user-level role mapping
Critical permissions are permissions that allow you to view or modify security-related configurations in the SAP system, or perform activities that are critical from a legal or business perspective. This also includes access to sensitive data, which are e.g. personal. Critical permissions are really critical in themselves and pose a risk only if they get into the wrong hands. In any case, when using critical permissions, you should observe the principle of restricting rights. There are no general definitions of risk; Therefore, each company should define the compliance requirements for itself. Identifying critical SAP permissions is an important task and should be performed in every company. Particular attention should be paid not only to the award of transactions but also to the value characteristics of each of the eligible objects. It is important to mention that preventive regular inspections do not have to be burdensome. However, they will lead to greater transparency and security.
With the SAP NetWeaver 7.03 and 7.30 releases, Web Dynpro ABAP applications (as well as other Web Dynpro ABAP functions, see SAP Note 1413011) have been tested for permission to launch such applications. The authorization object that controls this startup permission is S_START. This authorization object is used in the same way as the S_TCODE authorization object.
To maintain suggestion values, use the transaction SU24. Here you can view and customise suggestion values for all types of applications, such as SAP GUI transactions, RFC building blocks, or Web Dynpro applications. One way to maintain suggestion values is to use the system trace, which is linked to the transaction SU24 after inserting the support package named in SAP Note 1631929 and the correction instructions. This means that from the transaction SU24 you start the system trace, collect trace data and use this data directly during maintenance.
For even more extensive operations on jobs, there must be an authorization for object S_BTCH_ADM, in which the field BTCADMIN (identifier for the batch administrator) has the value 'Y'. This allows cross-client operations on any job. S_BTCH_ADM with value 'Y' thus also contains the objects S_BTCH_JOB action * and S_BTCH_NAM and S_BTCH_NA1 with user/program = *. Therefore, this is a very critical authorization because it allows an identity change. With the changes mentioned in note 1702113, the S_BTCH_ADM object can be used to restrict the authorization assignment more precisely.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
When you create roles that are only intended for specific systems, such as the development system, it makes sense to include this information in the role name.
In order to provide user authorisation support, you often need their information.