What to do when the auditor comes - Part 1: Processes and documentation
In the FIORI environment, there are basically two different types of access via a tile. One is the transactional tiles and the other is the native or analytical tiles :
Look closely at the security advisory so that you can identify the affected programmes or functions and schedule appropriate application tests. Use a test implementation in the SNOTE transaction to identify additional SAP hints that are required for a security advisory and may also contain functional changes.
Excursus Special feature for authorizations for FIORI Apps under S/4HANA
With the transaction SUIM you can search under roles, roles with different search criteria. The variant "Roles by complex selection criteria" covers all possible selection criteria. However, you can also search only for a specific selection criterion (e.g. only for transactions, only for authorization objects...).
With the help of the SAP-Note 1642106 it is possible to automatically perform the text comparison from SAP NetWeaver AS ABAP 7.0. Inserting the note will automatically perform text matching for any changes to PFCG roles in the central system. We recommend that you install the support package that is appropriate for your release, which is specified in the SAP Note, because inserting the hint requires a lot of manual work. With the help of the SUSR_ZBV_GET_RECEIVER_PROFILES report, you can turn on the new functionality in all subsidiary systems where the correction information has also been recorded. If you run the report in the central system with the default selection, all subsidiary systems are included. You can check whether the function is present in the daughter systems in the report log.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
However, it is not sufficient to focus only on the improvement potentials that have been presented, because it must be ensured that all those points that have not been criticized in the past will continue to fit.
You will need to call this transaction again to read the programmed exit and select it.