Development
Evaluate Permission Traces across Application Servers
Here we present different scenarios for the process of resetting passwords. In all scenarios, the user selects the system and the client in which a password is to be reset from a web page. Only systems and clients where this user already exists and assigned a permission should be displayed. An initial password is then generated and sent to the user's email address. Only if a user lock is set by false logins, the user must be unlocked. If an administrator lock is in place, the user should be informed accordingly. Before implementing self-service, consider the password rules set in your systems and the use of security policies. Because these settings allow you to control how passwords are generated in your systems. We recommend that you read the instructions in Tips 4, "Set Password Parameters and Valid Signs for Passwords", and 5, "Define User Security Policy".
After defining the roles and generating the corresponding authorization profiles, the individual persons in the company are then assigned to the roles. In the process, the so-called user comparison takes place and the role-specific authorizations are stored in the user master record. The master record contains all information about an SAP user, including authorizations.
Use AGS Security Services
Another special feature of the role menu is the maintenance of object-based navigation. If a call to a transaction has been executed through a button in a Web Dynpro application, you must make the Object-based Navigation settings for the transaction to call. To do this, select the appropriate item in the (F4) Help. You may need to ask the developer of the application for navigation information.
An SAP security check focuses in particular on the assignment of authorizations. This is what enables users to work with the SAP system in the first place, but it can, under certain circumstances, unintentionally add up to conflicts over the separation of functions or even legally critical authorizations. For this reason, tools for technical analysis must be used regularly to provide the status quo of authorization assignment and thus the basis for optimization.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
Over time, many authorization concepts have developed into opaque constructs.
To analyse such eligibility issues, you must therefore use the appropriate tools, such as the HRAUTH transaction for SAP ERP HCM or the RSECADMIN transaction for SAP BW.