Check for permissions on the old user group when assigning a new user group to a user
Sustainably protect your data treasures with the right authorization management
If you do not want to use reference users, you can hide the Reference User field for additional permissions via a standard variant for the transaction SU01. The necessary steps are described in SAP Note 330067.
The first step to eliminating sprawl in permissions is to prevent it. To do this, administrators should obtain an overview and the assigned authorizations should be checked regularly. This helps to identify problems and incorrectly assigned authorizations at an early stage. The workload monitor can help here. This shows which authorizations users are actually using. The use of authorizations can be analyzed selectively and exported to tables. This also helps to improve existing roles and to create new roles for the authorization model in SAP.
AUTHORIZATIONS IN SAP SYSTEMS
TMSADM: The user TMSADM serves the communication between SAP systems in the transport management system and is automatically created in the client 000 when they are configured. TMSADM only has the permissions to access the common transport directory, view in the change and transport management system, and the necessary RFC permissions. Safeguard measures: Change the user's passwords in each client. There is the report TMS_UPDATE_PWD_OF_TMSADM, which you have to start in the client 000. This is only possible if you have administrator privileges on all systems in the landscape and the password rules of the systems are compatible. After the report has been successfully passed, all TMSADM users of the landscape in the client 000 and their destinations have the same new password.
You cannot increase the retention time afterwards; Therefore, you should adjust the configuration in good time before starting a project. In addition, you should change the settings of the stat/rfcrec and stat/rfc/distinct profile parameters. For example, you should increase the value of stat/rfcrec to 30, and stat/rfc/distinct should be set to 1. This improves the completeness of the recorded RFC usage data. For details on the technical improvements, see SAP Note 1964997.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
Please also refer to the SPA 1539556.
Find out what types of users you can use and how the password rules affect these types of users.