Task & functionality of the SAP authorization concept
WF-BATCH: The WF-BATCH user is used for background processing in SAP Business Workflow and is created automatically when customising workflows. WF-BATCH is often associated with the SAP_ALL profile because the exact requirements for the permissions depend on the user's usage. The password of the user can be set and synchronised via the transaction SWU3. Safeguard measures: After automatic generation, change the user's password and assign it to the SUPER user group.
The Enable Transport Recording button allows you to save the changes in the roles on a transport order. For information on the validity of the PFCG_ORGFIELD_ROLES report, see SAP Note 1624104.
Correct settings of the essential parameters
For the ABAP stack, authorization profiles can be created either manually or by using the profile generator. However, the use of the profile generator is strongly recommended, since manual administration usually results in misconfigurations of authorizations. The profile generator guarantees that users only receive the authorizations assigned by their role. Concepts, processes and workflows must therefore be adapted to the use of the profile generator. There is no choice for the Java stack; here the J2EE authorization mechanism must be used. The User Management Engine offers options that go beyond the J2EE standard.
In principle, the SAP_NEW permission should not be granted in the production system. The Profiles tab displays the generated profiles in the user master record that are associated with a specific user. Here you can also assign manually created permission profiles from the transaction SU02 - even without direct role mapping. In principle, the recommendation is to use the profile generator (transaction PFCG) to generate authorisation profiles automatically. Special caution is taken when you enter generated permission profiles directly on the Profiles tab, as these assignments will be deleted by matching user assignments with the transaction PFUD if no entry is on the Roles tab for the assignment. You have probably assigned SAP_ALL and SAP_NEW to users for whom there should be no restrictions in the SAP system. But what are these two profiles different from each other and why are they necessary?
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
You can find the evaluation methods in table T77AW.
You can now decide how the applications appear in the Role menu.