General considerations
The SAP authorization concept
You should archive all document types at the same time intervals; This is especially true for the US_USER and US_PASS archive objects. It is customary to keep the supporting documents between 12 and 18 months, as this corresponds to the retention periods for the revision. For performance reasons, if you want to archive in shorter intervals, you should always archive all archive objects at the same time and store the PFCG and IDENTITY archive object classes in separate archives. In this case, it may be useful to download the archived revision documents back to a shadow database to make them available for faster review. You can use the following reports: RSUSR_LOAD_FROM_ARCH_PROF_AUTH / RSUSR_LOAD_FROM_ARCHIVE. You can also archive the table change logs with the BC_DBLOGS archive object.
Access options and authorizations are defined and controlled in the SAP authorization concept. How secure business data is in SAP depends largely on the assignment of authorizations and access options for a company's users.
Security Automation for HR Authorizations
Check to see if there are any corrective recommendations to follow for your release. We recommend that you run the SU24_AUTO_REPAIR correction report before executing the transaction SU25 (see tip 38, "Use the SU22 and SU24 transactions correctly"). If necessary, run this report in the old lease, but in any case before importing the new proposal values. Use the test mode of the report to look at possible corrections in advance. In addition, to ensure that you do not lose information with your upgrade work, you can write and release the data from the SU24 transaction on step 3 (customer table transport) in the SU25 transaction to a transport order. This way, a backup of your SU24 data is made. Now the upgrade work can begin. Warning: Do not perform step 1 (customer tables were initially filled), because this overwrites the USOBT_C and USOBX_C customer tables, i.e. the SU24 data, completely with the SAP suggestion values. However, you want to keep your SU24 data and add to the proposed changes for the new release!
This representation has been chosen to show the differences in the classification of user types, because, despite the Global setting for the distribution parameter of the licence data (in the transaction SCUM), the settings in the ZBV may differ from those of the subsidiary system. In addition, you can add the columns ID in the report: Contractual User Type and ID: Show the value in central, which contains the technical values for the user type. If users on the daughter systems are not relevant for the licence measurement, the value User is irrelevant for the licence measurement in the column Contractual User Type. This value occurs for the following users: - technical user - user is not present - user is not valid - user is of type reference user.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
The User Management Engine offers options that go beyond the J2EE standard.
If it is a function block or a Web application, you can obtain the programme name by using the System Trace for Permissions (transaction ST01 or transaction STAUTHTRACE).