AUTHORIZATIONS FOR BATCH PROCESSING IN THE SAP NETWEAVER AND S/4HANA ENVIRONMENT
Development
However, the permission trace is a long-term trace that you can turn on using the auth/authorisation_trace dynamic profile parameter. This trace is user- and client-independent. In the USOB_AUTHVALTRC table, the trace supplements the permissions checks that were not captured before the application ran. This function can also be used for customer-specific developments. Now, go to the RZ11 transaction, enter the auth/authorisation_trace parameter name in the selection box, and click View. You will now get to the detailed view of the profile parameter with all properties and the link to a documentation. To turn the trace on, click Change Value and a pop-up window will open. Enter "Y" or "F" for filters here if you want to define a filter (see Tip 38, "Use SU22 and SU24 transactions correctly") and save your input. A warning appears informing you that the parameter value would be reset when the application server is launched.
The SAP authorization concept must generally be created in two versions: for the ABAP stack and for the Java stack. Which roles are required, which role may call which SAP functions, and other conceptual issues are identical. However, there are fundamental differences between the two versions.
Set Configuration Validation
If you have developed your own permission checks to use them in your own programmes or to make extensions to the SAPS standard, it is essential that you maintain the Z authorization objects as suggestion values for the respective applications. Thus, they do not have to be reworked manually in the respective roles. In addition, you have created a transparent way to document for which applications your customer's permissions are available. Last but not least, a well-managed suggestion value maintenance helps you with upgrade work on suggestion values and PFCG roles. This ensures that your changes and connections to the respective PFCG roles are retained and new permissions checks for the new release are added to the applications.
You can automate the translation of the texts by using the LSMW transaction. This transaction is intended for migration tasks, but is also very well suited to allow a particular transaction to be repeated and automated. You record the execution of a transaction and get the variables of the text blocks (technical role name, role description, etc.). You can add values from an import file based on Microsoft Excel to each flow loop. For example, the Excel file contains a table with the columns Technical role name, description German, description English. The LSMW script works through the import file line by line and thus role by role.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
This should describe the essential processes, but also how to handle the assignment of authorizations via roles.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
You can implement the requirements in these examples by extending the financial permission checks by using document validation, a Business Transaction Event (BTE), and Business Add-ins (BAdIs).