Module
Which challenges cannot be solved with authorization tools alone?
From the result of the statistical usage data, you can see which transactions (ENTRY_ID) were used, how often (COUNTER), and how many different users. There are various indications from this information. For example, transactions that were used only once by a user within 12 months could indicate a very privileged user, or inadvertently invoking a transaction for which a user has permissions. The future assignment of such transactions in the SAP role concept should then be critically questioned. In contrast, you should consider transactions with a high level of usage and a large user circle (e.g. with more than ten users) in an SAP role concept.
Thus, after evaluation, you can select all SAP hints with the status to implement and load directly into the Note Assistant (transaction SNOTE) of the connected system. This is only possible for a development system and if the SAP Solution Manager can use an appropriate RFC connection to the connected system. You should also consider the security advisories that apply to applications that are installed on your system but that you do not use productively. These vulnerabilities can also be used for an attack.
Custom requirements
Numbers/reminders: The payment and/or collection procedure shall be managed solely on the basis of information from the collection perspective (in particular Table BSEG). For customer and vendor transactions, the Profit Centre is not included in the SAP journal masks by default, and is therefore not available on the appropriate BSEG document lines. Since numbers and warnings are usually centrally controlled processes, this should not be a problem in practice.
Changes in customizing and various security-relevant changes, such as the maintenance of RFC interfaces, can be viewed via table change logs. This authorization should only be given to an emergency user.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
Since Release 4.6D, the system creates a new folder for each of the roles included in the pulley when rebuilding a Collective Roll menu at the first hierarchy level, and only then the corresponding menu is located.
To avoid inconsistencies in the user master kits, you must reconcile the users in the daughter system after the ZBV is activated.