Analyze user buffer SU56
System trace function ST01
In the area of group consolidation, an authorization concept ensures that no data can be deliberately manipulated, for example to change balance sheets. This can prevent significant financial or reputational damage to banks and stakeholders. Furthermore, access to financial data of subdivisions of a group, such as individual business units or companies, must be restricted to those employees who are allowed to access it because their current activities require it. As a result, a controller of a business unit, for example, can only view the consolidated figures of his business unit, but not the figures of the entire group. Further authorization roles are required, for example, for external auditors. These auditors check all the figures for the entire group, but may only have read access to this data.
Now switch to User Care and you will find that this PFCG role is not yet assigned to your user. To do this, you must first perform the user master synchronisation. You can perform this manually via the transaction PFUD or schedule it as a job. The background job PFCG_TIME_DEPENDENCY or the report RHAUTUPD_NEW is intended for this.
Standard authorisation
This very critical authorization can be used to electronically erase, or manipulate program runs including authorization queries in a variety of ways. This authorization should be assigned only very restrictively, for example developers need the authorization however for their daily work.
After these preparations, we now proceed to the expression of the User-Exit in the validation that has just been created. To do this, you copy the User-Exit definition in the created custom programme, specify a name for the User-Exit definition (e.g. UGALI) and create a new text element.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
As with the authorization trace, the profile parameter "auth/authorization_trace" must be set accordingly in the parameter administration (transaction RZ10).
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
Special caution is taken when you enter generated permission profiles directly on the Profiles tab, as these assignments will be deleted by matching user assignments with the transaction PFUD if no entry is on the Roles tab for the assignment.