Analyse and evaluate permissions using SAP Query
Define S_RFC permissions using usage data
Before you can start upgrading the suggestion values and roles, you need to consider a few things. SAP Note 1539556 lists all questions and answers about the administration of proposed values. Already at the start of the transaction SU25 you will be alerted in a pop-up window to the SAP notice 440231 (upgrade preparation for the profile generator). This note provides information on recommended revisions for certain SAP base versions and recommendations for additional guidance, which are listed in the Annexe.
If you want to cancel, share, or reset other users' jobs to scheduled status, you must have permission for the S_BTCH_ADM object with a value of Y. Alternatively, you can also grant the JOBACTION = MODI and JOBGROUP = permission for the S_BTCH_JOB object. The MODI promotion was introduced with SAP NetWeaver AS ABAP 7.00 or can be recorded via SAP Note 1623250. The following illustration shows an example of how the JOBACTION = MODI privilege is expressed for the jobs of the users listed under JOBGROUP.
Grant spool jobs
Permissions must have both identical maintenance status (default, maintained, modified, manual) and an identical active status (active or inactive). Exceptions represent changed permissions and manual permissions; these are summarised when the active status is identical.
Please note that depending on the results of the RSUSR003 report, a system log message of type E03 is generated. If a critical feature (stored in red) is detected, the message text"Programme RSUSR003 reports ›Security violations‹"is written into the system log. If no critical feature has been detected, the message"Programme RSUSR003 reports ›Security check passed‹"will be displayed instead. This message is sent because the password status information of the default users is highly security relevant and you should be able to track the accesses. You can grant the User and System Administration change permissions for the RSUSR003 report, or you can grant only one execution permission with the S_USER_ADM authorization object and the value CHKSTDPWD in the S_ADM_AREA field. This permission does not include user management change permissions and can therefore also be assigned to auditors.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
The User Information System is a powerful tool that allows you to perform various evaluations: - In which roles is the transaction ME23N included? - Which transactions may a specific user execute (see also report RSUSR010)? - Which customer-specific authorization objects exist in the SAP system? - How do two roles differ (see also report RSUSR050)?
Conversely, you cannot use an existing transaction role in the menu as a customising role.