Note the effect of user types on password rules
Authorization concept
You cannot increase the retention time afterwards; Therefore, you should adjust the configuration in good time before starting a project. In addition, you should change the settings of the stat/rfcrec and stat/rfc/distinct profile parameters. For example, you should increase the value of stat/rfcrec to 30, and stat/rfc/distinct should be set to 1. This improves the completeness of the recorded RFC usage data. For details on the technical improvements, see SAP Note 1964997.
For result and market segment accounting, you can define planning authorization objects, the information system, and item-based reports of the information system. In the customising (transaction SPRO), you create them via the following path and then select the corresponding section. Controlling > Income and market segment calculation > Tools > Permissions management > CO-PA specific eligibility objects.
Advantages of authorization tools
With the introduction of security policy, it is now possible to define your own security policy for System or Service users. This way you can ensure that backward-compatible passwords are still used for these users. This eliminates the reason that password rules were not valid for System/Service type users; Therefore, the rules for the content of passwords now apply to users of these types. Password change rules are still not valid for System or Service type users. If you are using security policy in your system, you can use the RSUSR_SECPOL_USAGE report to get an overview of how security policy is assigned to users. This report can be found in the User Information System (transaction SUIM). In addition, the user information system reports have added selected security policies to the user selection. This change was provided through a support package; For details, see SAP Note 1611173.
In many distributed organisations, the Profit Centre is used to map out the distributed units. However, this was only possible for FI with additional programming. In integrated data flows in SAP ERP, the sending application usually does not check the authorization objects of the receiving application. Financial Accounting (FI) in SAP does not check permissions for cost centres and profit centres. However, depending on the case of use, this may be necessary, e.g. if distributed entities are to operate as small enterprises within the enterprise and only collect and view data for this particular unit at a time. With the introduction of the new general ledger, SAP has technically merged the financial accounting and the profit centre account, so that the question of the inclusion of profit centre allowances in FIs becomes even more important.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
To do this, use the BAPI BAPI_USER_GET_DETAIL, which you must call for the SAP User ID on all relevant systems.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
Users of your Web applications should have access to the applications that correspond to their particular business roles.