Redesign of SAP® Authorizations
Debug ABAP programs with Replace
A new transaction has been added to evaluate the system trace only for permission checks, which you can call STAUTHTRACE using the transaction and insert via the respective support package named in SAP Note 1603756. This is a short-term trace that can only be used as a permission trace on the current application server and clients. In the basic functions, it is identical to the system trace in transaction ST01; Unlike the system trace, however, only permission checks can be recorded and evaluated here. You can limit the recording to a specific user. You can also use the trace to search only for permission errors. The evaluation is similar to the evaluation of the system trace in the transaction ST01. In transaction STAUTHTRACE, however, you can also evaluate for specific authorization objects or for specific permission check return codes (i.e. after positive or negative permission checks). You can also filter multiple entries.
To read or modify data, a user must have both the privilege of performing a specific action and the privilege of accessing the object. The following privileges are distinguished in SAP HANA.
Authorizations in SAP systems: what admins should look out for
You can now assign transactions to these roles. Experience has shown that roles should remain application-specific and that a distinction between book or investing, changing and reading roles is also useful. There will be regular transactions used in multiple roles. You should not overestimate the often demanded freedom of redundancy. However, for critical transactions or transactions that are involved in a functional separation conflict, it is recommended that they be kept in a separate role. In general, roles should not contain too many transactions; Smaller roles are easier to maintain and easier to derive. Also, assigning them does not quickly lead to the problem that users have too many permissions. If you keep the necessary functional separations in place, you have already prepared them as a takeaway.
System Privileges (Database System) permissions: System Privileges are SQL permissions that control administrative actions throughout the database. Such actions include creating a (database) schema (CREATE SCHEMA), creating and modifying roles (ROLE ADMIN), creating and deleting a user (USER ADMIN), or running a database backup (BACKUP ADMIN).
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
The function block is used to write the usage statistics to a temporary table, from which you can extract the data for further use.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
This way, complex role hierarchies can be put together.