Protective Measures for Special Authorization Objects

Some authorization objects contain especially critical authorizations, which you should take extra measures to protect.

• Authorization profile SAP_ALL

  This composite profile contains all SAP authorizations, meaning that a user with this profile can perform all tasks in the SAP system. You should not assign this authorization profile to any of your users. We recommend that you create only one user with this profile. You should keep the password of this user secret (store it in a safe) and only use it in emergencies. Instead of using the SAP_ALL profile, you should distribute the authorizations it contains to the appropriate positions. For example, instead of assigning your system administrator (or superuser) the authorization SAP_ALL, assign him or her only those that apply to system administration, namely the S_* authorizations. These authorizations give him or her enough rights to administer the entire SAP system, without allowing him or her to perform tasks in other areas such as Personnel.

• Generated role SAP_NEW

  When you upgrade SAP NetWeaver AS, we can add new authority checks to applications you are already using. Your users need the authorizations for the new authority checks to continue using the functions they have used until now. You must use Profile Generator: Upgrade and First Installation (transaction SU25) steps 2a/b and 2c to update the defaults and roles to include the new authorizations. Performing this update requires time. To enable your users to work productively in the upgraded system until you have updated the defaults and roles, run report REGENERATE_SAP_NEW. This report creates a role, SAP_NEW with the new authorizations. Assign SAP_NEW to the users affected by the upgrade.

  Caution

  Do not forget to delete the role assignments to SAP_NEW once you are finished with the update to the authorization defaults and roles.

  Note

  The composite profile SAP_NEW is obsolete.