Restrict Application Server Login
Reset Manually Maintained Organisation Levels to Roles
Since the maintenance effort would be too great if individual authorizations were entered in the user master record, authorizations can be combined into authorization profiles. Changes to access rights take effect for all users who have entered the profile in the master record.
It must be clarified in advance what constitutes a recognized "emergency" in the first place and which scenarios do not yet justify activating the highly privileged user. In addition, it may only be approved and activated after a justified request and only under the dual control principle. After use, it must be administratively blocked again immediately.
Eligibility proposal values
With the introduction of security policy, it is now possible to define your own security policy for System or Service users. This way you can ensure that backward-compatible passwords are still used for these users. This eliminates the reason that password rules were not valid for System/Service type users; Therefore, the rules for the content of passwords now apply to users of these types. Password change rules are still not valid for System or Service type users. If you are using security policy in your system, you can use the RSUSR_SECPOL_USAGE report to get an overview of how security policy is assigned to users. This report can be found in the User Information System (transaction SUIM). In addition, the user information system reports have added selected security policies to the user selection. This change was provided through a support package; For details, see SAP Note 1611173.
First and foremost, legal principles must be stated and specific reference must be made to authorizations that are critical to the law and that may not be assigned (or at most may be assigned to emergency users). An example is the authorization "Debugging with Replace", to which the object S_DEVELOP with the values ACTVT = 02 and OBJTYPE = DEBUG legitimizes and over which data can be manipulated by main memory change. However, this would violate § 239 of the German Commercial Code, the so-called "erasure prohibition".
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
You can set the end of a user's validity by clicking the corresponding options for "today" or "yesterday".
If you are using Central User Administration (ZBV), the assignment applies to all connected systems.