Trace after missing permissions
Object S_BTCH_NAM and S_BTCH_NA1 (use of foreign users in Steps)
They have encountered a role that includes manually maintained organisational levels. Even if you correct the error manually in the role by manually deleting the manually maintained value of the organisation levels in the authorization object, the value in question is not drawn from the organisation level. The AGR_RESET_ORG_LEVELS report allows you to reset these values for the role. The manually maintained organisational data will be deleted, and only the values that have been maintained via the Origen button will be drawn.
Don't simplify your entitlement concept before you know all the requirements, but first ask yourself what you need to achieve. So first analyse the processes (if possible also technically) and then create a concept. Many of the authorisation concepts we found in customers were not suitable to meet the requirements. Some of these were "grown" permission concepts (i.e., requests were repeatedly added) or purchased permission concepts. Many of these concepts had in common that they had been oversimplified, not simply. A nice example is permission concepts that summarise all organisational levels in value roles or organisational roles. There are few examples, such as the role manager of the industry solution SAP for Defence and Security, in which the result of a value role concept is still useful and appropriate for the user. The assumption that you "sometimes" separate all the authorization objects that contain an organisational level is simple, but not useful. We have not found the simplification that only a user without permissions can definitely not have illegal permissions. However, there was always the case that users had far too many permissions and the system was therefore not compliant.
Check for permissions on the old user group when assigning a new user group to a user
Are you using SAP NetWeaver Business Client instead of SAP GUI? The arrangement of the applications on the screen is controlled by PFCG roles. The SAP NetWeaver Business Client (NWBC) is an alternative to SAP GUI for access to SAP applications. This allows you to centrally access applications that reside in different SAP systems and have different UI technologies. The NWBC enables you to call not only transactions, but also Web-Dynpro applications and external service applications. In this tip, we will show you how to use PFCG roles to control the design of the NWBC user interface.
The advantage of this feature is that administrators can parse failed permission checks regardless of end users. End users can save their unsuccessful checks to the database using the Save ( ) button. As an administrator, you can also back up failed permission checks from other users. The Saved Checks button also gives you access to this information afterwards. The automatic storage carried out when the old transaction SU53 was called is omitted because it overwrote the last recording. You can also load the results into an Excel file to allow a more comfortable evaluation.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
You will now go to the Attribute tab, where you specify the general frame data.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
In addition to the partially available online help for individual authorization objects, the question arises as to how the documentation for the authorization object can be called up.