Centrally review failed authorisation checks in transaction SU53
Starting reports
You can disable this new behaviour for the SAP_ALL profile by setting the customising switch ADD_S_RFCACL to the value YES in the table PRGN_CUST. If the ADD_S_RFCACL entry is YES, SAP_ALL still contains the total permissions for the S_RFCACL authorization object.
Two equal permissions that meet the first maintenance status condition are also combined when all the values of the two permissions differ in one field or when a permission with all its fields is included in the other. However, if there are open permission fields in a permission, they will not be combined unless all permission fields in the permission values are the same.
Security within the development system
Two other very important settings are the activation of the security audit log and the table logging. Both parameters must be activated in order to ensure traceability at the user level as well as at the table level. It should therefore be checked whether the detailed settings for the security audit log are set up in accordance with the company's specifications and, in any case, whether all users with comprehensive authorizations, such as SAP_ALL, are fully covered by the logging without exception.
Thanks to the new feature provided with the Support Package mentioned in SAP Note 1847663, it is possible to use trace data from the privilege trace in the SU24 transaction for suggestion value maintenance. The system trace that you can call through the ST01 transaction or the STAUTHTRACE transaction (see also Tip 31, "Optimise Trace Evaluation") is a short-term, client-dependent trace that you can restrict to users or applications.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
It contains only the most important authorization objects for each subject area.
We therefore recommend that you schedule a background job on the PFUD transaction, which performs a regular user comparison (see Trick 17, "Schedule PFUD transaction on a regular basis").