Security in development systems
Deletion of change documents
The specific SAP_NEW authorization object imprints are provided via the SAP_BASIS component. Therefore, an SAP_NEW profile is always bound to a specific base release. Proceed as follows: With the transaction SU02, you remove all old, individual profiles from the SAP_NEW composite profile, including the profile that belongs to the start release of your upgrade. Now assign the reduced SAP_NEW permission profile to all users in the upgrade preparation system, ensuring that all users can work as usual. This step can be omitted if you are following another method to identify missing permissions. Now check all permissions in all remaining profiles within the SAP_NEW summary profile that have a higher release level than the SAP_BASIS upgrade start release. Map all required permissions to all productive roles in your permission concept. You can do this for each intermediate release individually. The next step is to adjust the permissions in your productively used roles in the PFCG transaction, and then remove the corresponding permissions from the SAP_NEW profile using the SU02 transaction. Repeat steps 3 through 4 until the SAP_NEW permission profile is empty. Work in a development system during the role adjustment phase and transport the adjustments made to your eligibility roles to your quality assurance system. After successful acceptance test, you transport them to the production system. Now you can remove the SAP_NEW profile from all users. You can then proceed with role follow-up as part of the release change in the SU25 transaction (see also Tip 43, "Customise Permissions After an Upgrade").
If you want to maintain authorizations and profiles manually, you need to know all SAP authorization components in detail. When using the Profile Generator, on the other hand, you do not need such detailed knowledge. This considerably reduces the time and effort required to implement the SAP system.
Permissions with status
Is it necessary for your evaluations to select the blocked or invalid users? This is now directly possible with the extensions of the user information system. There is always a requirement to evaluate the existing users in your SAP system. Examples may include lists requested by auditors. In such a case, you naturally want to exclude invalid users and those with administrator lock from the selection. Up to now, you have had to perform various evaluations with the reports RSUSR200 and RSUSR002 of the user information system (transaction SUIM) and subsequently edit the lists. The findings may not have been accepted by the auditors as the lists were visibly manipulated, even if this manipulation was justified. You can now enter this selection directly. We will show you below how to search for users with password or administrator lock or exclude them from your selection.
Configuration validation uses the CCDB's configuration data to reconcile settings. To do this, you define your customer-specific security settings technically in a target system. This contains the specifications for the configuration of SAP systems. You can also define a target system based on the settings of an existing system and adapt it to your requirements. Then you compare the settings of your SAP systems with this target system on a daily basis and get an overview of the deviations. Since there may of course be different security requirements for the systems in your landscape (e.g. development and production systems), you can define different target systems with the appropriate settings. You then start the comparison with a target system for the relevant systems. Alternatively, you can compare to an actual system; For example, this is a useful function in the context of a roll-out.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
In order to nevertheless offer a procedure that is manageable and easy to handle, the SAP authorization concept was implemented on the basis of authorization objects.
Document display (transaction FB03): The document display displays only those document lines for which the user has display permissions or where the Profit Centre field is blank (initial).