Partner Agreement Configuration
SM64 Batch Events: Overview and Management
Whenever you find a red traffic light on the Roles tab in the user master in SU01 - or a yellow traffic light on the Users tab in PFCG, you can usually solve the problem with a simple user synchronization. The fact that such a user adjustment is necessary can have several reasons. Among others: after a role transport to / when assigning users to roles via PFCG after restricting the validity of roles to users when roles are assigned indirectly via organizational management. Users usually notice the problem of a user comparison that has not been carried out quite quickly: Authorizations are missing, although at first glance they are available in the assigned authorization roles. This is because a user is assigned the correct authorization role - but the profile associated with the role is not up to date.
Another important example is the reading permission for TemSe objects. The temporary files are often forgotten, because it is often not considered that cached (strictly) sensitive data, which is intended for only one user (owner), can be viewed by another user without permission - and across clients. The examples mentioned show us how important it is to carefully assign permissions for client-independent transactions. Download Transaction tables The transactions that enable the examples above, including certain expressions of the associated permission objects and our recommendations for them, can be found in the file "Critical cross-client permissions" for download. Other client-independent transactions are located in the Cross Clients TCODES file. The criticality of these transactions should be assessed according to the context. I recommend always being careful and keeping these transactions in mind.
Root cause analysis
SWPM - the Software Provisioning Manager integrates the classical tools like sapinst, ehpup, etc. for the maintenance/installation of SAP systems.
The support packages were successfully fed into a system (test or development system). You performed the modification synchronisation. Procedure Load the support packages into the next system (quality or production system). You must distinguish between the following cases: Their systems have a common transport directory: Release Level 3.x: If the *.ATT files are not present, run RSEPSDOL in the source system and then RSEPSUPL in the target system. If the *.ATT files are present, run only RSEPSUPL in the target system. Release level 4.x: Select SPAM Support Package Upload in the target system. Your systems do not have a common transport directory: Release Level 3.x: Run RSEPSDOL in the source system to create the *.ATT files if they do not already exist. With ftp, transfer all files with the *.PAT extension in binary mode and all files with the *.ATT extension in ASCII mode from the /usr/sap/trans/EPS/in directory (UNIX and AS/400) or
:\usr\sap\trans\EPS\in (Windows NT) of the source system to the target system transport directory. Run RSEPSUPL in the target system. Release level 4.x: With ftp in binary mode, transfer all files with the *.PAT extension from the source system's /usr/sap/trans/EPS/in (UNIX and AS/400) or :\usr\sap\trans\EPS\in (Windows NT) directory to the target system's transport directory. Select SPAM Support Package Upload in the target system. Play the Support Packages as usual. Import the Modification Balance Transport. Steps of the SPAM The SAP Patch Manager informs you about the step in progress in the status bar. If you want to know what steps are being performed for which scenario, run RSSPAM10.
Some missing SAP basic functions in the standard are supplied by the PC application "Shortcut for SAP Systems".
Congratulations, you have successfully created a derived role! Repeat step 2 with the additional derivatives to adjust the organisation levels accordingly.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
When identifying critical SAP permissions, profiles and roles, it should be noted that SAP does propose a concept for names, but this is not always taken into account by applications or its own developments.