Authorization concepts - advantages and architecture
System trace function ST01
The authorisation trace is a client- and user-independent trace. The results of this trace are written in the USOB_AUTHVALTRC table and can also be viewed in the STUSOBTRACE transaction by clicking the Evaluate button. This trace data can be used by developers to maintain the permission proposal values in the transaction SU22 (see also Tip 40, "Using the permission trace to determine suggested values for custom developments").
With the help of the transaction SU22, the software developers can deliver their application with the appropriate authorization objects. After the transfer of the data from the transaction SU22 to the tables from the transaction SU24, the role developer may further process the proposed values with the transactions SU24 or SU25 for use in the transaction PFCG. Please also refer to the SPA 1539556.
Determine Permissions Error by Debugging
System trace - Transaction: ST01 or STAUTHTRACE - There is also a system trace for an evaluation. Unlike the authorization trace, a system trace is mainly designed for short periods of time. My preferred variant to call the system trace is via the transaction STAUTHTRACE. Here you can filter the evaluation directly and get a better evaluation representation. Over the individual Buttons one can switch directly the Trace on or off and display the result of the Trace.
Before you start and define critical permissions, you should identify your core business processes or functions and then map the conflicting processes in meaningful combinations as so-called risk. The RSUSR008_009_NEW report cannot replace a GRC system (GRC = Governance, Risk, and Compliance) with the SAP Access Control component. Rather, this report should be understood and used as an indicator of the current system state. The report identifies the users that have the critical permission combinations defined in the USKRIA table. The identifier, which can also be called a risk ID, describes a combination of authorization objects with field names and field values. These are linked to one of the two operatives AND or OR available.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
Any deviation from the defined process must be fully documented and justified.
If the asterisk is in a different position, it is interpreted as part of the file name, which is not allowed in Microsoft Windows, for example.