SAP Security Automation
Existing permissions
Assigning clear authorizations to employees is not a sign of mistrust, but offers a high level of protection - both for the company and for the employees themselves. By assigning SAP authorizations on a role-specific basis, each employee is given access to the system according to his or her task.
An alternative to using the S_TABU_LIN authorization object is to create custom table views that make organisational delimitation easier to achieve. To do this, create a new view in the SE11 transaction and add the table to which the constraint will apply on the Tables/Join Conditions tab. The Selection Conditions tab allows you to specify your restrictive organisational condition in the form of a field and a field value. You then authorise all relevant users to access the view, which contains only data for your organisational restriction.
Maintain generated profile names in complex system landscapes
If you want to set the table logger check for multiple tables, you should note that the principles for changing Dictionary objects apply, i.e. you will generate increased system loads in running systems. Therefore, you should make both the modification and the transport of the changes outside of business hours. The SAP system only provides customising tables for table logging by default; so you don't have to worry about performance. Tables that serve to customise typically contain relatively little data that is rarely changed. However, you should not turn on table logging for tables that are subject to mass changes, as there may be performance and disk space issues. This applies to tables with root or movement data. After all, if table logging is enabled, a log entry in the DBTABLOG table is generated for each change to the contents of a logged table.
As a second way to automate the mass maintenance of role pipelines, we mentioned the use of business role management. Various solutions are offered on the market that offer this functionality in the same or similar form. Some of these solutions do not use the derivation concept; This has the advantage that the organisational matrix is not limited to organisational fields. However, the major deviation from the standard functionalities of the PFCG role is detrimental to this variant.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
If you have added this note, the profile will no longer be used.
To prevent this, an authorization concept must be in place that describes how authorizations are to be created and assigned to users.