SAP S/4HANA: Analysis and simple adjustment of your authorizations
PRGN_COMPRESS_TIMES
Since 2001, SAP has been working with the German-speaking SAP user group (DSAG e. V.) Model rolls for tax inspectors developed and revised over the years. The role definition reflects an interpretation of the DSAG of the concept of tax-relevant data.
However, the authorization trace is not active by default, but must be explicitly activated via the profile parameter "auth/authorization_trace". In transaction RZ11 you can easily and quickly check if the parameter is already set. The profile parameter is set in transaction RZ10. By default, the profile parameter is active in SAP systems (profile parameter transport/systemtype = SAP) and inactive in customer systems (profile parameter transport/systemtype = CUSTOMER).
Use Custom Permissions
The Security Optimisation Service for ABAP contains more security checks than the corresponding section in the EWA. In particular, the number of eligibility checks is higher. A total of 110 eligibility tests are currently defined in the SOS, including 16 critical eligibility tests for HR. The full list of all security checks in the SOS can be found in the SAP Service Marketplace on the page https://service.sap.com/sos via Media Library (Security Optimisation Service > ABAP Checks).
The S_START boot authorisation check is delivered inactively by SAP. If this test is activated in an AS-ABAP installation (see also SAP Note 1413011), this will affect all clients. Therefore, before you activate, it must be ensured that all affected users in the permission profiles associated with them have the necessary values in the S_START permission fields.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
Setting the confidentiality or encryption markers in the SEND_EMAIL_FOR_USER method affects the display of the e-mail in Business Communication Services Administration (transaction SCOT).
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
Now, to set up correct permissions for the non-manageable external services in the GENERIC_OP_LINKS folder, you can identify the external services you need for your CRM business role and delete all other external services.