System Security
General considerations
What roles does my user have (SU01)? We start with a simple question: which roles are actually assigned to your SAP user? With the transaction SU01 you can view your (or other) SAP user. Among a lot of other information, you can find the assigned single and composite roles on the "Roles" tab.
All external services for cross-navigation are stored in the role menu in the GENERIC_OP_LINKS folder. In addition to this information, this folder also contains external services that represent the already mentioned area start pages and logical links. You can delete the latter, as these are duplicates from the other folders or non-relevant external services. Now, to set up correct permissions for the non-manageable external services in the GENERIC_OP_LINKS folder, you can identify the external services you need for your CRM business role and delete all other external services. However, as I said, there is a risk that too many external services will be deleted and cross-navigation or calling the saved searches will no longer work. It is better to move the GENERIC_OP_LINKS folder to a separate role.
Edit Old Stand
The best way for companies to combat historically grown uncontrolled growth in authorizations is to prevent it. An analysis of whether the current authorization concept is sufficient for the company helps here.
Certain permissions that are not relevant until a job step is run are checked at the time of scheduling for the specified step user. This checks whether the selected user is authorised to run the specified ABAP programme or external command. For programmes associated with a permission group, the S_PROGRAM object is checked. External commands test for the object S_LOG_COM.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
We present the security services offered by SAP Active Global Support (AGS).
Developer and customizing authorizations represent a great potential danger in productive SAP systems.