User Management
Maintain generated profile names in complex system landscapes
First and foremost, legal principles must be stated and specific reference must be made to authorizations that are critical to the law and that may not be assigned (or at most may be assigned to emergency users). An example is the authorization "Debugging with Replace", to which the object S_DEVELOP with the values ACTVT = 02 and OBJTYPE = DEBUG legitimizes and over which data can be manipulated by main memory change. However, this would violate § 239 of the German Commercial Code, the so-called "erasure prohibition".
By inserting SAP Note 1723881, you resolve the third of these problems by banning the recording of the same role on different transport orders. To enable this change in system behaviour, you must set the CLIENT_SET_FOR_ROLES customising switch to YES in the PRGN_CUST table. This toggles the setting in the SCC4 transaction for changing and recording custom customising objects ("Client modifiability") for role maintenance.
Limitations of authorization tools
With the transaction SUIM you can search under roles, roles with different search criteria. The variant "Roles by complex selection criteria" covers all possible selection criteria. However, you can also search only for a specific selection criterion (e.g. only for transactions, only for authorization objects...).
If it is clear that a cleanup is necessary, the first step should be a detailed analysis of the situation and a check of the security situation. Based on these checks, a redesign of the authorizations can be tackled.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
A troublesome scenario you're probably familiar with: You will soon be going live with a new business process and must now derive your roles in 97 accounting circles.
Wildgrowth of characters used in user IDs can have negative effects.