Dialogue user
Permissions and User Root Sets Evaluations
You can now assign transactions to these roles. Experience has shown that roles should remain application-specific and that a distinction between book or investing, changing and reading roles is also useful. There will be regular transactions used in multiple roles. You should not overestimate the often demanded freedom of redundancy. However, for critical transactions or transactions that are involved in a functional separation conflict, it is recommended that they be kept in a separate role. In general, roles should not contain too many transactions; Smaller roles are easier to maintain and easier to derive. Also, assigning them does not quickly lead to the problem that users have too many permissions. If you keep the necessary functional separations in place, you have already prepared them as a takeaway.
In the course of a comprehensive protection of your system from the inside as well as from the outside it is indispensable to have a closer look especially at the SAP standard users. They have far-reaching authorizations that can cause great damage to your system if misused. It should be noted that they are very important for the operational execution of your SAP system and must not be deleted. However, since the associated standard passwords can be quickly researched, they must be changed immediately after delivery of the SAP ERP. You can perform a detailed check of these users using report RSUSRS003. It is also recommended to set certain default users inactive until they are actually used.
Optimization of SAP licenses by analyzing the activities of your SAP users
To help you better find your own tables in the future, check your development policy to see if the storage is adequately described. If the development guidelines are not complete, you should supplement them. For example content for a development policy, see the DSAG Web site under Guides. Now go to https://www.dsag.de/go/leitfäden and search for "Best Practice Guide Development".
The downloading of the table must be monthly. You can also make downloading easier; Frank Buchholz presents programmes that you can use in his blog (see http://wiki.scn.sap.com/wiki/display/Snippets/Show+RFC+Workload+Statistic+to+build+authorizations+for+authorization+object+S_RFC). Optionally, the next step is to identify function groups for the function blocks. You can find them in the AREA field of the ENLFDIR table. However, we recommend granting permissions at the function block level, because function groups often contain a large number of function blocks and the accessibility is expanded unnecessarily.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
Over the course of time, many companies experience profound changes in the framework conditions that significantly influence SAP® authorization management.
On the other hand one can call the system trace over the transaction ST01.