Optimization of SAP licenses by analyzing the activities of your SAP users
User Interface Client Permissions
The Security Audit Log now logs the table or view name and the scheduled activity of external table access via RFC connections; a new message type has been defined. You can find this fix and an overview of the required support packages in SAP Note 1539105.
The SAP Code Vulnerability Analyser can be used to scan both custom on-premise and on-demand applications programmed in ABAP. The SAP Code Vulnerability Analyser is included with SAP NetWeaver AS ABAP 7.02; an installation is not necessary. For details on the relevant support packages, please refer to SAP Notes 1921820 and 1841643. You do not need additional servers or additional administration. You can activate the SAP Code Vulnerability Analyser with the RSLIN_SEC_LICENSE_SETUP report, but you have to pay additional royalties for it.
Permissions with Maintenance Status Used
The RESPAREA field has a maintenance dialogue that allows you to enter areas of responsibility. The care dialogue is called as a building block and provides different tabs for input depending on the authorization object. Now, if you declare the RESPAREA field to be the organisation level, you must first set the display of the tabs for input in customising. To do this, you must add an entry to the KBEROBJ table that is independent of the client by using the SE16 transaction. In this entry, leave the first OBJECT field blank. The CURRENTOBJ field must be maintained because it defines the tab that will be displayed when the maintenance is called, i.e. the Default tab. If this field is blank, no startup image can be found and errors occur. The following fields determine the contents of the various tabs and should therefore also be maintained so that you can use RESPAREA as an organisational level. These are the OBJECT1 to OBJECT7 fields for the first to the seventh tab. In these seven fields, you define what values you can enter on the tabs.
You can translate text blocks in permission roles individually using the SE63 transaction. If you need to translate many roles, there are also automation options that we present here. There are several scenarios in which it becomes interesting to translate the texts of permission roles, for example, if your company is acting internationally. Also, you may have taken over a third party company and the SAP systems used there, or you may want to simplify the SAP system landscape by combining different divisions in one system. In all of these cases, you must standardise or translate the texts of the authorisation roles. For pure translation, you can use the transaction SE63, which we explain in the first section of this tip. In general, however, you will need to translate a large number of role texts in these scenarios; Therefore, in the second section we will explain how you can automate the translation using the LSMW (Legacy System Migration Workbench) transaction and will discuss how to set up a custom ABAP programme.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
It's time again: If you don't have anyone in your department who likes to press the Copy button for several hours in the PFCG transaction, replace the Derive shortcut, and then customise the Organisation Levels (Origen) in the new roles on the Permissions tab (repeatedly connected to memory), the job will hang on you.
If the role should only allow access to certain external services, regardless of the customising (or only to the external services specified in the customising), it becomes a little trickier.