Identify Executable Transaction Codes
Essential authorizations and parameters in the SAP® environment
Which authorization data does a role have (PFCG)? Again, start the transaction PFCG and display a role. Then branch to the tab Authorizations and click on the button with the "glasses" (bottom left): Display authorization data.
For the scenario of sending initials passwords, signing emails is not so relevant. Although it is possible to send an encrypted e-mail with a fake sender address, in this case the initial passwords in the system would not work. It looks different when you send business data; In such cases, verification of the sender via a digital signature is recommended. If you want to send e-mails digitally signed, we advise you to send them at the system's e-mail address. To do this, use the SEND_EMAIL_FOR_USER method described and place the sender's tag on the system. In this case, you need a public key pair for your ABAP system, which is stored as a Personal System Security Environment (PSE). For a detailed description of the configuration, including for verification and decryption of received emails, see the SAP Online Help at http://help.sap.com/saphelp_nw73ehp1/helpdata/en/d2/7c5672be474525b7aed5559524a282/frameset.htm and SAP Note 1637415.
Custom requirements
I show how SAP authorizations can be assessed and monitored by using the Three Lines of Defense model. This method can be applied even if the model is not used for all enterprise risks. You will learn how to integrate the different stakeholders into the lines of defense and harmonize the knowledge for the process. Also, what tools can be used for controls and cleanups in each case. This ensures, for example, that managers are able to assess the risks and derive measures, and that administrators can technically clean up the risks.
Since Release 4.6D, the system creates a new folder for each of the roles included in the pulley when rebuilding a Collective Roll menu at the first hierarchy level, and only then the corresponding menu is located. You can decide whether the text of each folder should consist of the technical name or the short text of the role. This function can be disabled by customising.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
You define security policy about the SECPOL transaction.
This means that the end user no longer needs the permissions to run these transaction codes from the S_TCODE authorization object.