AUTHORIZATIONS IN SAP SYSTEMS
Define security policy for users
The P_ABAP (HR-Reporting) authorization object is not required to execute reports, but is intended to improve performance during execution. In addition, it can be used when reports require permissions for info types that the user should not receive in other cases, which is more common. For example, the right to display information type 0008 (basic salary) is also required for the execution of the travel statement reports. The Invoice Payer Programmes also require P_ABAP permissions to process personal data.
You can schedule background jobs in the SM36 and SA38 transactions, but also in a variety of application transactions. It is important to know that special permissions are not necessary for the installation, modification, etc. of your own jobs. An exception is the release of background jobs; it is protected by a permission. Permissions are also required for the activities on other users' background jobs, and the following authorization objects are available in SAP backend processing: S_BTCH_JOB controls the access rights to other users' jobs. S_BTCH_NAM allows you to schedule programmes under a different user ID. S_BTCH_ADM grants parent permissions that are usually only required by administrators.
Add New Organisation Levels
It should be noted, however, that the system writes all authorization errors of the user into the memory area of SU53. I.e. if there is a so-called double hit, i.e. several authorization errors occur, only the last error is always in this area. I prefer to have the user run the transaction until the error message "No authorization...", then use the menu to display the error, and send me a screen shot of the first page of output. This way I avoid that the user creates another authorization error when calling transaction SU53, which covers the original one. As a user administrator or role administrator, you can also call SU53 yourself and display the error entry of another user via the menu. However, this does not always work.
If you manage your SAP system landscape via the Central User Administration (ZBV), you must insert SAP Note 1663177 into both the ZBV system and all attached subsidiary systems. In this case, also note that the default user group will be assigned in the daughter systems if no user group has been distributed during the user's installation from the ZBV. In addition, you will receive an error message in the SCUL transaction stating that a user group must be assigned to the user (via the ZBV headquarters). This behaviour is independent of the settings of the distribution parameters for the user group in the SCUM transaction. If you have set the distribution parameters for the user group to Global or Redistribution, the appropriate subsidiary system will reject the changes made to users that do not have a user group in the Central System, and you will receive an error message in the SCUL transaction.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
To use the trace data from the USOB_AUTHVALTRC table, first go to the change mode and then either click the SAP Data button or select Object > Add Objects from Trace > Local.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
The main reason for this is the tight process structure, which enables a smooth transition between the two modules.