Default permissions already included
A complicated role construct
You will need to adapt the template to your organisation's circumstances, i.e., probably define the certificate filing depending on the naming convention for your users and adjust the certificate verification. This verification of certificates ensures that no existing certificates are added in the template and that only one certificate is entered to an e-mail address. This check is necessary because sending an encrypted e-mail is cancelled if more than one valid certificate to an e-mail address is found. You can map mass imports of the certificates via this customer-specific programme. In addition, you will also need to define a way to manage certificates in your organisation, i.e. how to transfer changes to certificates to the SAP system.
Insert SAP Notes 1656965 and 1793961 into your system. With these hints, the report RSUSR_LOCK_USERS is delivered or extended. This report supports automatic selection and blocking of inactive users. To do this, you have to select the criteria in the selection screen of the RSUSR_LOCK_USERS report, according to which you want to lock or invalidate users. You can determine the choice of users by using various criteria. It is recommended to take into account the period since the last login in the Days since last login field and the password status in the Days since password change field. You have the option to check the result of the selection and view the users found. To do this, select the Test of Selection action in the Select Action pane. You can also choose between the User Lock-outs (Local Lock-outs) and User Unlock (Local Lock-outs) actions in this area. You can set the end of a user's validity by clicking the corresponding options for "today" or "yesterday". Note that you can only set the validity for current users.
User and authorization management
Since developer authorizations correspond to full authorization, they should only be assigned restrictively. This applies above all to the authorization for "debugging with replace" (see "Law-critical authorizations"). The risk of incorrectly assigned developer authorizations has also increased due to the elimination of additional protection via developer and object keys in S/4 HANA systems (see, among other things, SAP Note 2309060). Developer authorizations for original SAP objects should therefore only be granted here upon request in order to avoid unauthorized modifications. If developer keys are still relevant in the existing SAP release, the existing developer keys in table DEVACCESS should first be checked and compared with the users intended for development.
Transaction SE63 allows you to translate a variety of text in the SAP system. You can find the relevant texts for the eligibility roles via the menu path: Translation > ABAP Objects > Short Texts In the pop-up window Object Type Selection that appears, select the S3 ABAP Texts node and select the ACGR Roles sub-point.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
To minimize the risk of a system failure or the creation of a security vulnerability, administrative rights should only be granted to employees in the basic administration.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
You may have special requirements that are necessarily to be included in the naming convention, such as when you define template roles in a template project that can be customised locally.