Evaluate Permission Traces across Application Servers
Deleting table change logs
The logging takes place in both the central system and the subsidiary systems. If the change documents are to be read for the attached subsidiary systems, the subsidiary systems must also be at the release and support package status specified in SAP Note 1902038. In addition, RFC users in their daughter systems need permission to read the change documents using the S_USER_SYS authorization object with the new activity 08 (Read the change document).
To do this, in the SU24 transaction, open the application you want to customise. To maintain the missing suggestion values, you can start the trace here by clicking on the button Trace. You can of course also use the system trace for permissions via the ST01 or STAUTHRACE transactions. A new window will open. Click here on the Evaluate Trace button and select System Trace (ST01) > Local. In the window that opens you now have the opportunity to restrict the trace to a specific user or to start it directly. To do this, enter a user who will call the application you want to record, and then click Turn on Trace. Now, in a separate mode, you can call and run the application you want to customise. Once you have completed the activities that you need permission checks, i.e. you have finished the trace, you will return to your application in the transaction SU24 and stop the trace by switching off the button trace. To perform the evaluation, click the Evaluate button. To obtain the trace data for each authorization object, select the authorization object you want to customise in the upper-left pane of the Permissions object drop-down list.
Important components in the authorization concept
In general, we recommend you to use strong encryption mechanisms and to switch most users to an SSO login. You should then delete the hash values of the user passwords as described above. For release-dependent information on SNC client encryption, see SAP Note 1643878.
The case that the user buffer is not up to date is very rare. The auth/new_buffering profile parameter sets the value 4 to immediately update the permissions, i.e. changes to the user root or roles or profiles, and write them to the USRBF2 database table without requiring a new login. This value is set by default. The fact that the buffer is not up-to-date is recognised by the fact that existing permissions that are not in the buffer are marked in the transaction SU56 with the note "In the root data but not in the user buffer".
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
As a small anticipation, I may refer here to some SAP blogs on the subject of SAP Basis or also the VideoPodcast "RZ10 LIVE SAP BASIS AND SECURITY" from rz10.de picks up topics in the area of authorizations again and again and is instructive here :-).
In the program, the appropriate syntax is used to determine whether the user has sufficient authorization for a particular activity by comparing the field values specified in the program for the authorization object with the values contained in the authorizations of the user master record.