Data ownership concept
Eligibility proposal values
Note that the S_TCODE authorization object is always filled with the current transactions from the roles menu. If organisational levels are also included that are no longer required, they will be automatically deleted. If, however, organisational levels are added depending on the transaction, they should be maintained first in the eligibility maintenance.
Very often the question then arises, does anything have to be prepared for the audit? As a rule, all of the company's own notes from previous years should be retrieved and combed through for information that was noted at the time during the discussions with the IT auditor. The IT auditor's findings and comments that show potential for improvement in IT-relevant processes or system settings are particularly essential. Furthermore, any reports by the auditor from the previous year should also be taken into account, in which deficiencies identified at that time were pointed out.
Immediate authorization check - SU53
A manual comparison of role texts in an SAP system landscape with ZBV is very annoying. You can also automate the sync. I'm sure you know this. When creating or maintaining users in the Central User Administration (ZBV), you must manually start the text matching each time before assigning PFCG roles to provide you with the latest PFCG role definitions. Managing a large system landscape with many systems in your ZBV - including development, test and production systems - the text comparison can take a while.
If you use the option described by us to reload the change documents into a shadow database, you should also run the report SUIM_CTRL_CHG_IDX after each reload operation, marking the field Indexes loaded change documents. In this case, all reverse-loaded change documents shall be taken into account. Before doing so, all index entries must be deleted; This can lead to a long run of the report.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
The SOS also allows you to list the users.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
In this step you have the option to exchange the transaction codes.