RSUSR003
SAP Authorization Trace - Simple Overview of Authorizations
You can access the ABAP Test Cockpit from the context menu of the object to be checked via Verify > ABAP Test Cockpit. Note that the global check variant of the Code Inspector that you created in the transaction SCI and that is entered as the default in the transaction ATC (ATC configuration) includes the security tests of the extended programme check of the SAP Code Vulnerability Analyser.
The following sections first describe and classify the individual components of the authorization concept. This is followed by an explanation of which tasks can be automated using the Profile Generator.
Hash values of user passwords
This report not only gives you an overview of the table logging settings in the tables, but also allows you to select multiple tables for logging. The Log flag button allows you to set the table logging check for all previously selected tables. The current status of the table loggers for the tables can be found in the Protocol column. The icon means that the table logger for the selected table is off.
A new transaction has been added to evaluate the system trace only for permission checks, which you can call STAUTHTRACE using the transaction and insert via the respective support package named in SAP Note 1603756. This is a short-term trace that can only be used as a permission trace on the current application server and clients. In the basic functions, it is identical to the system trace in transaction ST01; Unlike the system trace, however, only permission checks can be recorded and evaluated here. You can limit the recording to a specific user. You can also use the trace to search only for permission errors. The evaluation is similar to the evaluation of the system trace in the transaction ST01. In transaction STAUTHTRACE, however, you can also evaluate for specific authorization objects or for specific permission check return codes (i.e. after positive or negative permission checks). You can also filter multiple entries.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
By means of a profile generator (transaction PFCG) the creation of the authorization profile can be automated in SAP.
We therefore always recommend that you prevent access to the system by setting the validity of users.