Use table editing authorization objects
User administration (transaction SU01)
The general SAP authorizations are used most often and for many things they are sufficient. For example, if only the HR department has access to the SAP HCM system. However, if other users come onto the system and you only want to allow them access to a limited number of personnel, then in the case of the general authorizations you have to deal with the organization key of infotype 1 (VSDK1), which must be hard-coded into the authorization roles. If ESS/MSS or Manager Desktop etc. now come into play, however, this means a large number of authorization roles, namely a separate one for each manager. This makes maintenance and servicing very time-consuming and your authorization concept becomes opaque, which in turn brings the much-quoted auditor onto the scene.
All permission checks are issued in table form as an ALV list. You can sort or filter this list by column. Furthermore, all the new features of the transaction ST01, which we listed at the beginning of this tip, have been applied for evaluation. Double-clicking on a authorization object will direct you to the authorization object definition, and double-clicking on the transaction will direct you to the programme location where the permission check is performed. For more tips on how to use this trace, see Tip 32, "Maintain permission values using trace evaluations," and Tip 39, "Maintain suggestion values using trace evaluations.".
Permissions checks
When copying the values to the Clipboard, note that only those values that you have previously marked will be copied to the Clipboard. The value intervals that can be maintained in the permission field values are separated by a tab stop, which is stored on the Clipboard.
The proposed values in the SU24 transaction are an imperative for the maintenance of PFCG roles, as these values are used when creating PFCG roles. The better these values are maintained, the less effort is required to maintain the PFCG roles (see figure next page). You may ask yourself in which cases it makes sense to adjust the proposed values, since they have such a large impact on the maintenance of roles.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
It should be noted that they are very important for the operational execution of your SAP system and must not be deleted.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
From SAP Net-Weaver AS ABAP 7.40 there is the additional SAP Unified Connectivity (UCON) layer.