The Anatomy of SAP Authorization or Documentation on SAP Authorization Objects and Authorization Field Values
List of required organisational levels and their value
The call to your implementation of the BAdIs is the last step in the process of storing user data. This applies to all transactions or function blocks that make changes to user data. Therefore, the BAdI is also called during maintenance by the BAPI BAPI_USER_CHANGE. You use this BAPI when you implement a password reset self-service as described in Tip 52, "Reset Passwords by Self-Service." This enables encrypted e-mail delivery of initial passwords within a self-service framework.
When scheduling a job, another user can be stored as the executing user. This means that the individual processing steps of the job are technically carried out by the stored user with his or her authorizations. This means that activities could be triggered that could not be executed with the user's own authorizations.
Assignment of roles
Roles are assigned according to the function of employees in the company and their validity is limited depending on the task. Removing role assignments manually in user master kits is very tedious. We'll show you how it's easier. Over time, users of your SAP system have accumulated many roles in the user master set. These roles have different validity periods. Some roles have already expired, and other roles may be assigned multiple times, because a user might perform multiple roles in the organisation, some of which have the same roles. Now you are looking for an easy way to delete role assignments that have expired or to remove multiple role assignments.
Only adding an authorization object via SU24 does not automatically result in a check within the transaction. The developer has to include an authorization check exactly for this object in the program code.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
Once you have identified the organisational features to consider, verify that you can redesign the existing roles so that the organisational features can be clearly maintained by use.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
The recommendation is issued in the following categories: Security-relevant SAP information, information on performance optimisation, HotNews, information on changes in legal regulations, and notes on corrections in the ABAP system.