Permissions objects already included
Dissatisfaction and unclear needs in the process
The assignment of the SAP_ALL profile is not required for the operation of an SAP system; therefore, a yellow icon will appear for the first check once a user has assigned the profile. For the other six checks on critical base permissions, the yellow icon will be displayed when a client is found on the system and at least one of the following two conditions applies: More than 75 users have the permission checked in this check. More than 10% of all users have the permission checked in this check, but at least 11 users.
Your system has inactive users? This is not only a security risk, as they often use an initial password, but also creates unnecessary licence costs. There will always be inactive users in your SAP system. There may be several reasons for this. For example, they may be management level users that are virtually unused because they are not using the ERP system. It could also be that employees no longer use their SAP user due to a change of position or that outsiders do not work on the SAP system for a while. In any case, you should ensure that these inactive users are either blocked or invalidated. Up to now, you had to select all inactive users with the help of the RSUSR200 report and then manually transfer them into the SU10 transaction to perform the blocking. You can now do this automatically.
Note the effect of user types on password rules
To calculate the recommendations, you can filter the SAP notes by their productive system, by the SAP solution, and by the applications and components, by the technical system name, and by the time of publication. The recommendation is issued in the following categories: Security-relevant SAP information, information on performance optimisation, HotNews, information on changes in legal regulations, and notes on corrections in the ABAP system.
Additional permission check on the S_RZL_ADM authorization object: For security reasons, an additional permission check is performed on the S_RZL_ADM authorization object for special PSE (Personal Security Environment) files with access type 01 (Create). These files are called *.pse and cred_v2. These files are required for single sign-on, encryption and digital signatures. They are maintained using the transaction STRUST and the transaction STRUSTSSO2, which require the same permission (see SAP Note 1497104 for details).
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
For example, they may be management level users that are virtually unused because they are not using the ERP system.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
, you need to verify that the relevant tables may be provided through other transactions.