Permissions objects already included
Use timestamp in transaction SU25
Finally, we would like to draw your attention to SAP Note 1781328, which provides the report PFCG_ORGFIELD_ROLES_UPD. This report enables a mass update of existing role derivations. However, you do not use the concept of the organisational matrix, but you have to store the new organisational values directly when the report is called. Therefore, this function requires a high degree of understanding for the adjustments that are running in the background and is therefore only available as a pilot note. This means that this message must be explicitly requested via a customer message and only then will SAP support release it for you if necessary. It is not currently planned to make the information generally available via a support package.
The results of the evaluation are marked with a coloured symbol. Classification varies for the different eligibility tests. The EWA does not only contain security-related tests and is therefore divided into different sections (e.g. hardware, performance). The test results in these areas are displayed with a traffic light symbol. If one of the tests within a section is indicated in red, the traffic light for that section shall also be set in red.
Risk: historically grown authorizations
The downloading of the table must be monthly. You can also make downloading easier; Frank Buchholz presents programmes that you can use in his blog (see http://wiki.scn.sap.com/wiki/display/Snippets/Show+RFC+Workload+Statistic+to+build+authorizations+for+authorization+object+S_RFC). Optionally, the next step is to identify function groups for the function blocks. You can find them in the AREA field of the ENLFDIR table. However, we recommend granting permissions at the function block level, because function groups often contain a large number of function blocks and the accessibility is expanded unnecessarily.
If you use the option described by us to reload the change documents into a shadow database, you should also run the report SUIM_CTRL_CHG_IDX after each reload operation, marking the field Indexes loaded change documents. In this case, all reverse-loaded change documents shall be taken into account. Before doing so, all index entries must be deleted; This can lead to a long run of the report.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
In the SU22 transaction, the developers of an application maintain the proposed values for all required authorization objects; the authorisation trace helps in this.
For simplicity, we want to explain this example by using the PFCG_TIME_DEPENDENCY background job.