Do not assign SAP_NEW
Evaluate licence data through the Central User Management
The daily business of an authorization administrator includes the checks and analyses of critical authorizations and combinations in the system. The focus is on users and roles in the respective clients and system rails. The SAP standard report RSUSR008_009_NEW is suitable for this purpose. You must first create corresponding check variants and authorization values for critical authorizations or combinations either using the program itself or transaction SU_VCUSRVARCOM_CHAN. These then correspond to your internal and external security guidelines. You can then run the report with your respective check scope and the corresponding critical authorization or combination variant and check in which roles or users such violations exist. This serves to protect your entire IT system landscape and should be carried out periodically.
Single role - Created using the role administration tool, it enables the automatic generation of an authorization profile. The role contains the authorization data and the logon menu of the users.
Evaluation of the authorization check SU53
To do this, in the SU24 transaction, open the application you want to customise. To maintain the missing suggestion values, you can start the trace here by clicking on the button Trace. You can of course also use the system trace for permissions via the ST01 or STAUTHRACE transactions. A new window will open. Click here on the Evaluate Trace button and select System Trace (ST01) > Local. In the window that opens you now have the opportunity to restrict the trace to a specific user or to start it directly. To do this, enter a user who will call the application you want to record, and then click Turn on Trace. Now, in a separate mode, you can call and run the application you want to customise. Once you have completed the activities that you need permission checks, i.e. you have finished the trace, you will return to your application in the transaction SU24 and stop the trace by switching off the button trace. To perform the evaluation, click the Evaluate button. To obtain the trace data for each authorization object, select the authorization object you want to customise in the upper-left pane of the Permissions object drop-down list.
The SAP authorization concept must generally be created in two versions: for the ABAP stack and for the Java stack. Which roles are required, which role may call which SAP functions, and other conceptual issues are identical. However, there are fundamental differences between the two versions.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
After defining the roles and generating the corresponding authorization profiles, the individual persons in the company are then assigned to the roles.
The implementation of the time-space validation checks is carried out as an additional time-space filter.