Virtualization of your SAP system landscape
Use of the Security Audit Log
From a purely technical point of view, each generated authorization role contains a profile from which a user receives the actual authorization objects and authorization characteristics. If this profile is outdated or not assigned at all, the user will not have all the authorization objects contained in the authorization role. Incidentally, the problem arises particularly frequently after role transports: If an authorization role is changed in the development system and then transported to the production system, the current profile is not automatically assigned to the users with the respective role. A user comparison must therefore be performed here.
In order to ensure the necessary expertise both in the direction of application and application-related IT departments as well as in the direction of infrastructure units, the SAP basis should be divided into an infrastructure-related SAP basis and an application-orientated SAP basis. The infrastructure-based SAP basis acts as a contact level and point of contact for IT departments such as virtualisation, storage management and databases. The application-orientated SAP basis serves as the contact and coordination level for application-related topics. BUILDING OVERARCHING EXPERT TEAMS WITH SAP basis INVOLVEMENT To reduce organisational friction points as well as to optimally handle selected topics, it is recommended to set up expert teams with the participation of the SAP basis. These teams of experts can be virtually organised and therefore of temporary duration and consist of participants from all relevant IT disciplines or business areas. If the topic of the virtual group of experts is the focus of the SAP basis, the SAP basis will take over the management and control of the expert team.
Backup concepts
The database layer is where all of a company's data is stored. In essence, it consists of a database management system (DBMS for short) and the data itself.
Only one transaction code can be entered here, otherwise a single role would always be searched, which includes all transactions searched for and is assigned to the respective user. However, since the transactions can also be assigned to the user via different roles, this would not be useful. If you use the above Input variants are also only considered transactions that have been maintained in the role menu. If it is not certain whether the transaction was entered in the menu or in the S_TCODE privilege object of the role, up to four transactions can also be checked by searching through the S_TCODE permission object. Important is the attention and appropriate use of the AND/OR relationship. After the query is executed, the roles that contain the requested transaction and are associated with the user are now displayed. If you use the search through the S_TCODE permission object, the following result page appears. When looking at the result, in addition to limiting the number of transactions that can be entered, another drawback of this variant becomes apparent: Although both associated roles are displayed, at first glance it is not possible to see which transaction is contained in which role. To do this, the roles would have to be considered individually. If more transactions with user assignment are to be identified at the same time and the role assignment is to be seen directly, the use of the transaction SE16N is recommended.
"Shortcut for SAP Systems" makes it easier and quicker to complete a number of SAP basis tasks.
This data can consist of data tables, applications or system control tables.
In addition, type a short description as usual and confirm.