Organisationally restrict table editing permissions
Transactions: Transactions in the audit structure start the necessary evaluations for the audit. You can recognise transactions by the clock symbol ( ). Double-clicking on the icon opens the transaction in a new window and allows you to start the evaluation. In addition, the SAIS transaction log entries for this audit activity are displayed in the upper right pane of the display. These include the current date of execution, the verifier's user ID, a check status that you assign yourself, a weighting, and a justification for the check status that you also enter into a text box. Below is an overview of the audit activities performed so far, also with a time stamp, the user ID of the verifier, the weighting of the status of the audit activity and a justification. In order not to manipulate the scanning activities, it is not possible to modify data stored once.
Due to the changed suggestion values in the SU24 transaction, you must now perform step 2c (roles to verify) to update all roles affected by the changed proposal values. Role changes are only customised! You will get a list that shows all the roles you need to edit. If you have more than one client to maintain roles, you must also do this in the other client.
Emergency user concept
The filter setting in transaction SM19 determines which events should be logged. In addition, you must activate the Security Audit Log via the profile parameters in the transaction RZ11 and make technical settings. For an overview of the profile parameters for the Security Audit Log, see the following table. The values specified in the table are a suggestion, but not the default values. The Security Audit Log is not fully configured until both the profile parameters and an active filter profile have been maintained. Note that the Security Audit Log has two configuration options: static and dynamic configuration. Static configuration stores filter settings persistent in the database; they are only applied on a system boot. The filter settings are used as the current configuration for each subsequent startup and should therefore always be maintained. The dynamic configuration allows you to change the settings in the running mode. The dynamic configuration is used when settings need to be adjusted temporarily. Here you can change all filter settings, but not the number of existing filters. Dynamic configuration will remain active until the next boot.
In addition, you can also define customised permission checks in the SOS and also define combinations of authorization objects and their values. You can create up to 1,000 custom permissions checks in the Check ID namespace 9000 to 9999. You can also redefine whitelists for these permission checks, which apply to either individual or all of the customer's permission checks. The configuration is described in SAP Note 837490.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
In addition, the origin of the profile can no longer be traced afterwards.
Delete and recreate the profile and permissions All permissions are created anew.