Generic access to tables
Using suggestion values and how to upgrade
If the FIORI interface is then used under SAP S/4HANA, the additional components must also be taken into account here. Authorizations are no longer made available to the user via "transaction entries" in the menu of a role. Instead, catalogs and groups are now used here. These are stored similar to the "transaction entries" in the menu of a role and assigned to the user. However, these catalogs must first be filled with corresponding tiles in the so-called "Launchpad Designer". It is important to ensure that all relevant components (tile component and target assignment component(s)) are always stored in the catalog. The FIORI catalog is used to provide a user with technical access to a tile. A corresponding FIORI group is used to make these tiles visually available to the user for access in the Launchpad.
Over the button field maintenance also own-developed authorization fields can be created to either a certain data element is assigned or also search assistance or check tables are deposited. On RZ10.de the topic has been described in more detail including a video recording in the article "Creating Authorization Objects with SAP Transaction SU21".
Authorization objects
Well-maintained suggestion values are extremely helpful for creating PFCG roles. We will give you a rough guide as to when it makes sense to maintain suggestion values. SAP provides suggested values for creating PFCG roles in the USOBT and USOBX tables via upgrades, support packages, or hints. These suggestion values include suggested values for permissions of SAP default applications that can be maintained in PFCG roles. Suggestion values are supplied not only for transaction codes, but also for Web Dynpro applications, RFC function blocks, or external services. You can customise these suggestion values to suit your needs. However, this does not happen in the supplied tables, but in the USOBT_C and USOBX_C customer tables. Care is carried out in the transaction SU24.
To maintain open permission fields in roles, you need information from the Permissions System Trace. But all transferred manually? Not with this new feature! If you have previously created PFCG roles, you must maintain all open permission fields manually. The information on which values can be entered can be read from the Permissions system trace and maintained manually in the PFCG role. However, this can be very complex, because a function that takes these values into the PFCG role has been missing.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
No external services can be added manually in transaction SU24.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
A corresponding FIORI group is used to make these tiles visually available to the user for access in the Launchpad.