SAP S/4HANA® Launch Pack for Authorizations
Get an overview of the organisations and their dependencies maintained in the system
Without generic table logging, certain changes in the system are not traceable. Learn how to turn on table logging in the system for a large set of tables. The SAP system writes change documents for most changes - but not all. Specifically, changes to tables in which the customising is performed are not recorded in the modification documents. This may lead to a lack of comprehensibility of changes. Avoid this by basically enabling table logging and then setting logging for specific additional tables. You should always enable table logging for all clients. However, during a release upgrade it may be necessary to temporarily disable table logging.
You have developed applications yourself and would like to maintain suggestion values for them? The easiest way to do this is with the help of the permission trace. Permission checks are also performed on self-developed applications. These applications must therefore be included in the PFCG rolls. If they are maintained in a role menu, you will notice that in addition to the start permissions (such as S_TCODE), no other authorization objects are added to the PFCG role. The reason for this is that even for customer-specific applications suggestion values must be maintained to ensure that the PFCG role care runs according to the rules and to facilitate the care for you. Up to now, the values of customer-owned applications had to be either manually maintained in the PFCG role, or the suggested values maintenance in the transaction SU24 was performed manually.
RFC interfaces
When scheduling a job, another user can be stored as the executing user. This means that the individual processing steps of the job are technically carried out by the stored user with his or her authorizations. This means that activities could be triggered that could not be executed with the user's own authorizations.
GET_EMAIL_ADDRESS: The example implementation of this method reads the e-mail address from the system's user master record. Adjust the method if you want to read the email address from another source.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
These auditors check all the figures for the entire group, but may only have read access to this data.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
Another danger is that users will experiment with their authorizations and cause damage that can be avoided by having a clean authorization structure.