Maintain proposed values using trace evaluations
Unclear responsibilities, especially between business and IT
The setting of the modification flag used to determine the proposed values to be matched is imprecise. Learn about a new process that uses timestamps. Upgrade rework for suggestion values and roles must be performed not only upon release change, but also after inserting plug-ins, support packages, enhancement packages, or other software components, such as partner solutions. These rework can be complex if the underlying selection of proposed values cannot be restricted. Therefore, a new procedure has been introduced in the transaction SU25, which restricts the proposed values to be compared using a time stamp.
Sometimes implementation consultants are also confronted with the situation that no authorization concept exists at all. This happens, for example, when changes in SAP SuccessFactors responsibilities occur on the customer side or different implementation partners were active in the past. However, a missing concept can lead to errors in the system. Users cannot perform certain actions, or worse, people see sensitive data that they should not see. This can, in the worst case, constitute a DSGVO violation and lead to a fine for the company.
General considerations
Now, if a user attempts to execute a report (for example, by using the KE30 transaction), the user's permissions for that authorization object are checked. Therefore, you must adjust your permission roles accordingly. If the user does not have permission to access the object, his request is rejected. If it has a corresponding permission, the display will be restricted to the permitted area. Access is still allowed for all characteristics or value fields that are not defined as fields of the authorization object.
Single role - Created using the role administration tool, it enables the automatic generation of an authorization profile. The role contains the authorization data and the logon menu of the users.
Authorizations can also be assigned via "Shortcut for SAP systems".
A simple example of how to play this behaviour without an upgrade scenario is changing the role menu.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
There are approximately 40,000 RFC-enabled function blocks in an ERP system; Usually no more than a few hundred of them are used.