Maintain derived roles
Copy the user from the Clipboard to the Transaction SU10 selection
In Step 2b (Customised Proposal Values), you must manually adjust the entries that you manually changed in the SU24 transaction in the initial release. This will start the SU24 transaction in upgrade mode, and you can step by step through all applications and match the changes. If you have created custom organisational levels (ormits), you must restore them at this point using the PFCG_ORGFIELD_UPGRADE report. The report must be called for each organisational level. Only the organisation levels that you create are displayed through the Value Help. SAP Note 727536 lists questions and answers about the use of customer-specific organisational levels.
With regard to the SAP authorization system, roles and the associated authorization objects, fields and values represent the foundation. Therefore, these check criteria are in the special focus of the authorization analysis of security-relevant characteristics of each authorization administrator. The report RSUSRAUTH is used to display role or authorization data in the respective client. The report analyzes all role data that are anchored in the table AGR_1251. This allows you to quickly find and clean up incorrect and security-critical authorizations not only by selecting the maintenance status of the authorizations, but above all by storing certain authorization objects and controlling them. This ad hoc analysis thus offers you a time-saving method of checking many roles at once according to your own critical characteristics. You can then make full use of this program by importing SAP Note 2069683.
Deleting table change logs
Adapting business processes to legal requirements requires control of users and authorizations. Manage your compliance control permanently without risks. Manage users and their authorizations in all SAP systems centrally and efficiently with our solution for your SAP authorization management: Automatically generate authorization roles for users and assign them.
How to maintain security policies and map them to your users is described in Tip 5, "Defining User Security Policy." You need a separate security policy for administrators to implement this tip, which is often useful for other reasons. In this security policy, you then set the policy attribute SERVER_LOGON_PRIVILEGE to 1. For example, you can also include the DISABLE_PASSWORD_LOGON policy attribute setting, because administrators often want to be able to log in with a password on the system.
Authorizations can also be assigned via "Shortcut for SAP systems".
"SAP direct access" analyzes the licenses for actual usage and classifies the critical cases.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
So far, changes in the SE97 transaction have been overwritten by inserting support packages or upgrades.