Reset Manually Maintained Organisation Levels to Roles
Implementing CRM Role Concept for External Services
Authorization trace - Transaction: STUSOBTRACE - Transaction STUSOBTRACE is used to evaluate the authorization trace in the SAP system. This is a trace that collects authorization data over a longer period of time in several clients and user-independently and stores it in a database (table USOB_AUTHVALTRC).
You can also evaluate the application log through the SLG1 (ATAX object) transaction; the output of the report CA_TAXLOG seems more useful here. Finally, we have some important information for you: There are individual programmes that can be used read-only, but also offer options for updates to the database. In these cases, additional logic was implemented (e.g. in SAP Note 925217 to the RFUMSV00 programme for the sales tax pre-reporting). Action log data can be accessed via the transaction SLG2 (Object: ATAX) (see also SAP Note 530733). If you want to customise for the annual permissions directly in the production system (so-called "current setting"), the SAP Note 782707 describes how to do this. Basic information about Current Settings is provided in SAP Notes 135028 and 356483. SAP Note 788313 describes in detail the functional components of the time-space test and the additional logging and also serves as a "cookbook" to use in customer-specific developments. How you can prevent access to the SAP menu and only show the user menu to the user, we described in Tip 47, "Customising User and Permissions Management".
RSUSR008_009_NEW
Like all other security issues, SAP authorizations must be integrated into the framework used. The risks associated with incorrectly assigned authorizations must be classified as very high. The definition of a holistic governance, risk and compliance management system is required. This ensures that risks are recorded, analyzed, evaluated, coordinated and forwarded within the company at an early stage. Accordingly, the risks arising from incorrectly assigned SAP authorizations or from a lack of a process for monitoring authorizations are also included here.
Reference users are not intended to access an SAP system, but are used for authorisation administration and therefore always have a disabled password. Reference users inherit the permissions assigned to them to the users with whom the reference user is registered. For this purpose, the user buffer of the reference user is also created at login and these entries are also checked during permission checks of the inheriting user.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
A prerequisite for the user buffer to be up-to-date is the correct user matching (green instead of yellow statusabilds on the Users tab).
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
However, it is crucial to justify this in a comprehensible manner.