Retain the values of the permission trace to the role menu
Centrally review failed authorisation checks in transaction SU53
The applications (transactions, Web-Dynpro applications, RFC building blocks, or Web services) are detected through their startup permissions checks (S_TCODE, S_START, S_RFC, S_SERVICE) and can be placed in the role menu of your role. In your role, go to the Menu tab and import these applications by clicking Apply Menus and selecting Import from Trace. A new window will open. Here you can evaluate the trace and view all recognised applications in the right window. To do this, click the Evaluate Trace button and select System Trace (ST01) > Local. In a new System Trace window, you can specify the evaluation criteria for the trace, such as the user using the Trace field only for users or the time period over which to record. Then click Evaluate.
A user is displayed in the results list if one of the two transactions with the corresponding expression is included in its corresponding permission profile. If the logical link were fully linked to OR, a corresponding user would appear in the results list if only one of the four permissions is in the user's master set and thus in the permission profile.
Hash values of user passwords
Upgrades also require that the eligibility roles be revised. In this context, you can use the SAP_NEW profile for support. During an upgrade, changes and enhancements to permissions checks are included in SAP NetWeaver AS ABAP. In order for users to continue to perform their previous actions in the SAP system as usual, you as the permission administrator must revise or add to the authorisation expressions within the framework of the established permission concept. Basically, you use the transaction SU25 for this purpose. For the transition period, you can use the SAP_NEW permission until the permission concept is up to date on the new release. Since the handling of SAP_NEW is not always transparent and the question arises, for example, when the profile should be assigned and when not, we explain the background here.
When you select the row with the parameter transaction you created and click on the Suggest values button, the S_TABU_NAM authorization object is automatically created with the correct suggestion values, i.e. the table name in the transaction SU24. Check these suggestion values by clicking Yes in the S_TABU_NAM column. You will now end up in a view from the transaction SU24 and can check in the tables authorization objects and Permission Proposition Values (for all authorization objects) which changes to the object S_TABU_NAM have been made automatically. For more information and implementation guidance, use SAP Note 1500054. The SAP Note also provides the SUSR_TABLES_WITH_AUTH analysis report, which specifies table permissions for users or individual roles. This report checks at user or single-role level which tables have permissions based on the S_TABU_DIS or S_TABU_NAM authorization objects. The report does not check whether the user has the transaction startup permissions that are also necessary, such as S_TCODE. For example, if you check what table permissions a particular user has based on the S_TABU_DIS authorization object, you will receive information about the table names, the associated table permission group, and the eligible activities. Granting permissions to access tables directly is flexible and useful, and is not recommended unless the mechanism is hammered out by giving the user general table access through generic maintenance tools.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
This authorization should only be given to an emergency user.
Authorization trace - Transaction: STUSOBTRACE - Transaction STUSOBTRACE is used to evaluate the authorization trace in the SAP system.