SAP systems: Control user authorizations with a concept
Compare Role Upgrade Permissions Values
If the programme determines that both of the criteria set out in the previous bullet points are met, the criterion of equality shall apply. This means that the proposed values of the permission that is already in place and to be added will come from the same transaction. Thus, the programme does not add a new default permission to the permission tree.
As part of the implementation of a security patch process, you will have to evaluate many security advisories, depending on your release and support package status. In this case, you can use the RSECNOTE report or the EarlyWatch Alerts to evaluate which security information has been identified as particularly critical by SAP Active Global Support. Since March 2013, the RSECNOTE report has only been very restricted and therefore contains only a few new safety recommendations. Nevertheless, it provides good guidance for the initial resolution of security gaps.
Authorization concept of AS ABAP
At the latest, if it is no longer possible to clearly define which transactions should be included in which roles and which roles a user requires, a correction is necessary. It must be clear which rights are required for the individual tasks in the system.
The SAP NetWeaver Application Server ABAP 7.31 changed the way the transaction SU25 works, especially from step 2a to the automatic suggestion value matching with SAP values. Now, this compares which records have been updated using time stamps. This makes it possible to run Step 2a separately for software components installed afterwards. Another advantage is that the objects to be edited can be better identified due to the time stamp. Before SAP NetWeaver 7.31, the applications to be matched for step 2a have been registered with their base release versions, which you can see in the USOB_MOD or TCODE_MOD tables.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
If these issues are not taken into account during a conversion, there will be an imbalance between the system and the components to be protected, since the change in the system constellation means that new components, such as those mentioned above, must also be taken into account.
After confirming these entries, you will be returned to the detail view of your role.