SAP Authorizations Maintain generated profile names in complex system landscapes - SAP Admin

Direkt zum Seiteninhalt
Maintain generated profile names in complex system landscapes
Structural authorizations
A new transaction has been added to evaluate the system trace only for permission checks, which you can call STAUTHTRACE using the transaction and insert via the respective support package named in SAP Note 1603756. This is a short-term trace that can only be used as a permission trace on the current application server and clients. In the basic functions, it is identical to the system trace in transaction ST01; Unlike the system trace, however, only permission checks can be recorded and evaluated here. You can limit the recording to a specific user. You can also use the trace to search only for permission errors. The evaluation is similar to the evaluation of the system trace in the transaction ST01. In transaction STAUTHTRACE, however, you can also evaluate for specific authorization objects or for specific permission check return codes (i.e. after positive or negative permission checks). You can also filter multiple entries.

In addition, you must note that you may not execute this report on systems that are used as a user source for a Java system. This is due to the fact that a login to the Java system will only update the date of the last login to the ABAP system if a password-based login has taken place. Other Java system login modes do not update the date of the last ABAP system login.
Background processing
Note that the SAP_NEW_ individual profiles should be retained themselves, so that at any given time, traceability is ensured as to which release and which permission was added. For more information, see SAP Notes 20534, 28175, and 28186. SAP Note 1711620 provides the functionality of an SAP_NEW role that replaces the SAP_NEW profile. If you have added this note, the profile will no longer be used. Instead, you can generate your PFCG role SAP_NEW by using the REGENERATE_SAP_NEW report. When you call the report, in the source and target release selections, type in the appropriate fields, and the role is created for that release difference.

This very critical authorization can be used to electronically erase, or manipulate program runs including authorization queries in a variety of ways. This authorization should be assigned only very restrictively, for example developers need the authorization however for their daily work.

The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".

If you want to get more information about SAP basis, visit the website www.sap-corner.de.


These files are called *.pse and cred_v2.

So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.


For communication between SAP systems, you should use HTTPS if you think the data transfer could be intercepted.
Zurück zum Seiteninhalt