WHY ACCESS CONTROL
In addition, critical commands should be prohibited from the outset. Examples are EXEC SQL, which allows direct access to database tables bypassing certain security mechanisms, and CLIENT SPECIFIED, which allows access to data in other clients.
Well-maintained suggestion values are extremely helpful for creating PFCG roles. We will give you a rough guide as to when it makes sense to maintain suggestion values. SAP provides suggested values for creating PFCG roles in the USOBT and USOBX tables via upgrades, support packages, or hints. These suggestion values include suggested values for permissions of SAP default applications that can be maintained in PFCG roles. Suggestion values are supplied not only for transaction codes, but also for Web Dynpro applications, RFC function blocks, or external services. You can customise these suggestion values to suit your needs. However, this does not happen in the supplied tables, but in the USOBT_C and USOBX_C customer tables. Care is carried out in the transaction SU24.
The use of suggestion values not only brings advantages when creating or maintaining PFCG roles, but also when maintaining permissions as a rework of an upgrade. Furthermore, these values can be used as a basis for risk definitions. Before creating PFCG roles, it is useful to maintain the suggested values for the transactions used. However, you do not need to completely revise all of the suggested values that are delivered by SAP.
There are many advantages to using an authorization tool for companies. These include: - Managing authorization requests - Distributing and assigning authorizations - Auditing authorizations - Developing authorizations. With the help of authorization tools, it is possible, for example, to drastically reduce the effort required for role creation and authorization management through concrete assignment of SAP system roles.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
To avoid inconsistencies in the user master kits, you must reconcile the users in the daughter system after the ZBV is activated.
So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.
In this case, also note that the default user group will be assigned in the daughter systems if no user group has been distributed during the user's installation from the ZBV.