Maintain generated profile names in complex system landscapes
Authorizations in SAP BW, HANA and BW/4HANA
Transaction PFCG also offers you the option of automatically collecting permissions. Not every transaction entered into a single role via a role menu necessarily needs its own permission entry in the permission tree, because some transactions have identical or similar permission proposal values.
In the SCC4 transaction, first check whether eCATT is allowed to run. Then start the SECATT transaction. As you get started, you can define and modify test scripts and test configurations. First, create a test script. Think of it as a blueprint or a flow rule for how to create new derived roles. The test script will contain your recording later. Give the script a talking name, such as Z_MASSENGERATION_DERIVATIVES. Then click the Create Object button. You will now go to the Attribute tab, where you specify the general frame data. Then click the Editor tab. Now it goes to the recording, in the eCATT language called patterns. Click the Pattern button and specify that you want to record the PFCG transaction by selecting the UIAncontrol and TCD (Record) settings. The system will propose to call the interface "PFCG_1"; You can simply confirm this. Confirmation of the dialogue will immediately start the recording; They therefore end up in the PFCG transaction. We want to record the creation of a single role derived from a reference role. Complete the appropriate steps in the PFCG transaction and try to avoid unnecessary steps - every step you take will make your recording bigger and less cluttered. Enter the name of the derived role - we can influence it later when playing with eCATT - and specify the role. Now assign the reference role. Note that the PFCG transaction is actually executed, so the role is actually created in the system! Now maintain the permissions and organisation levels. If possible, use organisational level values in the note, which you can find well in other numbers later on, i.e. about 9999 or 1234. After generating and saving the role, you will be returned to eCATT. There you will be asked if you want to accept the data and confirm with Yes.
Maintain permission values using trace evaluations
In addition to existing authorization objects, you can also create your own authorization objects and select existing authorization fields such as Activity (ACTVT). To the individual fields then, as with ACTVT, the permissible options which are deposited at the field can be specified. Thus, for an own authorization object with the authorization field ACTVT, the activity 01 Add or Replace, 02 Change and 03 Display can be selected and would then be available as a selection in the authorization field in the role maintenance.
The organisation of a company is represented in the SAP system. Keep an overview here to identify dependencies and control access permissions in an organisation-specific way. In customising, different organisational values are stored for the individual ERP components to enable an organisational mapping of the root and movement data. This mapping is required, among other things, to control access permissions or constraints. We will show you how you can get an overview of the well-maintained organisational units and see dependencies between the different organisational values.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
The transactions "SA38" and "SE38" for executing programs are of particular importance.
However, you should remove all profiles and lock the user.