Introduction & Best Practices
Without this provisioning component, adjustments to employee permissions in the respective IT resources would have to be implemented by the relevant system administrators. However, manual provisioning processes are by their very nature a source of errors. If an employee's tasks change, the system administrator should consider all active user accounts when modifying and deleting accounts. A modern IDM system therefore helps companies to keep track of users and their permissions, especially in complex and heterogeneous system landscapes.
He has already gathered a lot of helpful information from the day-to-day business in his department: Johannes knows the RFC interfaces and the corresponding technical RFC users from his work with the applications. He also quickly got the password for various RFC users via the radio ("As long as passwords are only communicated by phone and never exchanged in writing, we are clean!"). And that the RFC users are generously entitled even in productive systems is no longer a secret ("Better to have more permissions than too little; the RFC connections have to run, otherwise there is trouble from the specialist areas!"). Since Johannes has access to the SE37 as a developer, it is not a problem to get the necessary access using the function block BAPI_USER_CHANGE - disguised as RFC User. In short, it changes the user type of a technical RFC user in a production system from
to by calling the function block.
Creation of documentation
A BW system often plays a very central role in larger companies. Here the data from the various connected source systems are analysed and reported centrally. A previous customer of mine had a BW system, to which a total of over 20 other SAPP production systems were connected. With such a large and mostly living system landscape, it is normal that individual systems are dismantled from time to time. However, especially with large SAP landscapes, there are strict regulations regarding the permissions of technical RFC users. For this reason, the simple "right-click —> delete" of a source system in RSA1 will often not lead to the target, but rather to a failed permission check. With this blog post, I'll show you a workaround on how to clean a source system from a BW system using the RSAR_LOGICAL_SYSTEM_DELETE and RSAP_BIW_DISCONNECT function blocks.
All of the above tasks have been part of SAP Basis Administration for decades. However, SAP software has changed a lot since the introduction of HANA in 2010, and with that, the SAP system administrator's job has changed as well. Here are some of the key differences:
Use "Shortcut for SAP Systems" to accomplish many tasks in the SAP basis more easily and quickly.
Ten years ago, SAP HANA was little more than a promise that made SAP CEO Hasso Plattner's eyes light up.
Approach to release rejected transport orders The screenshot below shows the situation in the STMS transaction where a transport order in the quality assurance area was rejected.