Development
Maintain generated profile names in complex system landscapes
Finally, we want to give you some recommendations for securing file access. The SPTH table allows you to protect the file system from ABAP programme accesses without granting permissions and to deliberately define exceptions. The problem is identifying the necessary exceptions. However, because the SPTH check is always performed together with the S_DATASET object check, you can use a long-running permission trace to find the paths that are used with filters for the S_DATASET authorization object. The procedure for this is described in detail in our Tip 39, "Maintain suggestion values by using trace evaluations". If you are using applications that access files in the DIR_HOME directory without a path, such as the ST11 transaction, you must specify access to the allowed file groups individually (e.g. dev_, gw_), because there is no wild card for DIR_HOME.
This also implies that the change documents must be kept in Excel. The Excel file must not be lost or damaged.
Calling RFC function modules
If you set the profile parameter dynamically, no users are logged out of the application server. You can prepare maintenance work in good time. The value 2 in the profile parameter does not prevent the login with the emergency user SAP*, if this is not set as user master record and the profile parameter login/no_automatic_user_sapstar is set to 0. You can also change the value of the parameter again at the operating system level. For details on the SAP user, see Tip 91, "Handling the default users and their initial passwords".
Here, the authorizations are either derived from the role menu (through the authorization default values (transaction SU24) or can also be edited manually in expert mode. The individual authorization objects are divided into object classes. For example, the object class AAAB (cross-application authorization objects) contains the authorization object S_TCODE (transaction code check at transaction start) with the authorization field value TCD (transaction code).
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
At this point, however, you do not specify which reference roles should be derived for these organisational values.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
The report must be called for each organisational level.