Define S_RFC permissions using usage data
Controlling permissions for the SAP NetWeaver Business Client
Make sure that the client-independent tables for logging are always logged when the parameters are not set to OFF. In addition to the parameters listed here, the table itself must also have the table logging hook set; This is usually done with the help of the transaction SE13. The settings are made in development and then transported to the other systems. The SAP standard already provides some tables for logging; For an overview of these tables, see SAP Note 112388 (tables requiring logging). You can evaluate the logging settings of the tables using the RDDPRCHK report or the RDDPRCHK_AUDIT transaction in the SAP system. The selection is made in the start image of the report, e.g. via the table name or the selection of options for logging.
By adding certain SAP standard reports and the user information system ("SUIM"), you can quickly identify security-relevant issues and correct any errors. This improves basic management of your existing security concept and protects you against external and internal intrusions. If you need help with your system analysis, please feel free to contact us. Xiting offers you a wide range of services related to SAP Security. Above all, our proprietary security tool, the Xiting Authorizations Management Suite, or XAMS for short, allows you to build a new role concept based on your usage data and even generate a revision-compliant security concept at the push of a button. Why not see for yourself and join one of our many different webinars.
RFC interfaces
There is a special feature for roles if the corresponding SAP system is based on S/4HANA. While under SAP ERP only roles with authorizations for the GUI system were relevant, corresponding business roles are required for the applications under FIORI. In addition to the roles in which authorization objects and authorization values are entered, so-called business roles are also required.
It should be noted, however, that the system writes all authorization errors of the user into the memory area of SU53. I.e. if there is a so-called double hit, i.e. several authorization errors occur, only the last error is always in this area. I prefer to have the user run the transaction until the error message "No authorization...", then use the menu to display the error, and send me a screen shot of the first page of output. This way I avoid that the user creates another authorization error when calling transaction SU53, which covers the original one. As a user administrator or role administrator, you can also call SU53 yourself and display the error entry of another user via the menu. However, this does not always work.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
In addition to the roles in which authorization objects and authorization values are entered, so-called business roles are also required.
You record the execution of a transaction and get the variables of the text blocks (technical role name, role description, etc.).