Use timestamp in transaction SU25
FAQ
Thanks to the new feature provided with the Support Package mentioned in SAP Note 1847663, it is possible to use trace data from the privilege trace in the SU24 transaction for suggestion value maintenance. The system trace that you can call through the ST01 transaction or the STAUTHTRACE transaction (see also Tip 31, "Optimise Trace Evaluation") is a short-term, client-dependent trace that you can restrict to users or applications.
You can use the previously created organisational matrix to either mass create new role derivations (role derivation) or mass update role derivations (derived role organisational values update). For both scenarios, there are separate Web-Dynpro applications, in which you must select the corresponding reference roles.
Module
A new transaction has been added to evaluate the system trace only for permission checks, which you can call STAUTHTRACE using the transaction and insert via the respective support package named in SAP Note 1603756. This is a short-term trace that can only be used as a permission trace on the current application server and clients. In the basic functions, it is identical to the system trace in transaction ST01; Unlike the system trace, however, only permission checks can be recorded and evaluated here.
In the event that such conflicts nevertheless arise, regular checks should be established as part of an internal control system. Furthermore, the authorization concept includes content such as the integration of the data owner, security-relevant system settings, specifications for maintaining authorization default values (transaction SU24) and documentation requirements.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
In the results list, you can see permissions that have failed for each user, as in our example, the missing permission to display the AGR_1251 table.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
You can see the definition of BAdIs through the SE18 transaction, and in the SE19 transaction you create an implementation of the BAdIs in the Customer Name Room.