Permissions objects already included
Manual authorizations
Note that the SAP_NEW_ individual profiles should be retained themselves, so that at any given time, traceability is ensured as to which release and which permission was added. For more information, see SAP Notes 20534, 28175, and 28186. SAP Note 1711620 provides the functionality of an SAP_NEW role that replaces the SAP_NEW profile. If you have added this note, the profile will no longer be used. Instead, you can generate your PFCG role SAP_NEW by using the REGENERATE_SAP_NEW report. When you call the report, in the source and target release selections, type in the appropriate fields, and the role is created for that release difference.
After activation, advanced security checks are available in the usual development environment within the ABAP Test Cockpit. The ABAP Test Cockpit is a graphical framework for developers. Various test tools, such as the Code Inspector or the SAP Code Vulnerability Analyser, can be integrated into this. All available test tools can be initiated from this central location and present their results in a common view. No training is required to intuit the tool.
Architecture of authorization concepts
Repair defective field list in SU24 suggestion values: This function verifies that all the authorization objects used in the permission proposals are consistent, that is, fit to the authorization object definitions from transaction SU21. If there are no permission fields or if there are too many entries, these data will be corrected in the proposal values.
The report RSUSR008_009_NEW (List of users with critical permissions) is provided starting with SAP Web Application Server 6.20 with the following support packages: Release 6.20, starting with SAPKB62039 Release 6.40, starting with SAPKB64003 You can continue using the old reports RSUSR008 and RSUSR009 until release 6.40. The RSUSR008_009_NEW report is delivered with the old SAI proposals for critical credentials already used in the RSUSR009 report.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
In the evaluation of the Permission trace, an additional column named Server Name appears, showing you the name of the application server on which the respective permission checks were logged.
This role is now available for you to assign to users.