Maintain proposed values using trace evaluations
Task & functionality of the SAP authorization concept
You can do this by using the P_ABAP authorization object to override the usual permission checks. This applies to all reports that access the logical database PNPCE (or PNP). In case of a P_ABAP permission, the usual checks for authorization objects, such as P_ORGIN or P_ORGINCON, will no longer take place or will be simplified. This also applies to structural permissions. Whether the permission checks are simplified or completely switched off is controlled by the COARS field of the object. To disable all checks, set the value COARS = 2. This value does not limit the data displayed in the legitimate report. If you want to allow advanced permissions for reporting, but you do not want them to be unrestricted, you must select COARS = 1. In this case, you will also designate the P_ORGIN (or P_ORGINCON, P_ORGXX and P_ORGXXCON) authorization object. However, you must be careful not to mark all fields of the objects, otherwise direct access is also possible. Therefore, always write two versions of the P_ORGIN authorization object, one with the functional permissions (permission levels, info types, and subtypes), and one with the organisational boundaries (personnel area, employee group, employee group, and organisation keys). In addition, you will of course need a P_ABAP for the relevant reports with the value COARS = 1.
You can use the system trace function (transaction ST01) to record the authorization checks in all modes, if the trace and the transaction to be traced run on the same application server. All object fields and their values are recorded during the authorization object check.
AUTHORIZATIONS IN SAP SYSTEMS
The first line defines that access to all files is forbidden unless other settings have been made for them in the other lines. The asterisk (*) is in the first place here and in this case for all files and paths. If the asterisk is in a different position, it is interpreted as part of the file name, which is not allowed in Microsoft Windows, for example. In our example table, setting the switches FS_NOREAD = X and FS_NOWRITE = X for all paths prohibits reading and writing. This makes the table a white list. This is preferable to a black list for security reasons. SPTH, on the other hand, becomes a Black List if you remove the first line with PATH = * in our example or if you do not set any of the switches FS_NOREAD, FS_NOWRITE or FS_BRGRU. The second line with PATH = /tmp allows read and write access for all files starting with /tmp, similar to a permission value /tmp*, as an exception to the access ban defined in the first line for all files and paths. This setting is not limited to subdirectories, but includes, for example, all files whose name starts with /tmp-xy. The third line with PATH = /tmp/myfiles defines a permission group with FS_BRGRU = FILE, triggering the subsequent permission check on the S_PATH object. The SAVEFLAG = X switch defines that these files will be included in a backup procedure; however, this is not relevant for the permission award.
The Security Optimisation Service for ABAP contains more security checks than the corresponding section in the EWA. In particular, the number of eligibility checks is higher. A total of 110 eligibility tests are currently defined in the SOS, including 16 critical eligibility tests for HR. The full list of all security checks in the SOS can be found in the SAP Service Marketplace on the page https://service.sap.com/sos via Media Library (Security Optimisation Service > ABAP Checks).
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
You define your security requirements for the entire SAP system landscape; they concern, for example, the settings of the profile parameters, the handling of safety instructions or critical permissions that may only be assigned to emergency users.
The values for each entry in this field are entered in the permissions of the role.