Check Profit Centre Permissions in FI
Limitations of authorization tools
From the result of the statistical usage data, you can see which transactions (ENTRY_ID) were used, how often (COUNTER), and how many different users. There are various indications from this information. For example, transactions that were used only once by a user within 12 months could indicate a very privileged user, or inadvertently invoking a transaction for which a user has permissions. The future assignment of such transactions in the SAP role concept should then be critically questioned. In contrast, you should consider transactions with a high level of usage and a large user circle (e.g. with more than ten users) in an SAP role concept.
Additional permission check on the S_RZL_ADM authorization object: For security reasons, an additional permission check is performed on the S_RZL_ADM authorization object for special PSE (Personal Security Environment) files with access type 01 (Create). These files are called *.pse and cred_v2. These files are required for single sign-on, encryption and digital signatures. They are maintained using the transaction STRUST and the transaction STRUSTSSO2, which require the same permission (see SAP Note 1497104 for details).
Use SAP Code Vulnerability Analyser
Confidential information from your SAP system can also be sent by email. Make sure that this data is only transmitted encrypted. Your SAP system contains a lot of data, which is often confidential. This can be business-critical or personal data or even passwords. It happens again and again that such data must also be sent by e-mail. Therefore, make sure that this information is always encrypted and signed if necessary. Encryption is intended to ensure the confidentiality of the data, i.e. that only the recipient of the e-mail should be able to read it. The digital signature serves the integrity of the data; the sender of an e-mail can be verified. We present the configuration steps required for encryption and provide examples of how to encrypt the sending of initial passwords. There are two ways to encrypt and sign emails in the SAP system: via SAPconnect, via a secure third-party email proxy.
Structural authorizations work with SAP HCM Organizational Management and define who can be seen, but not what can be seen. This is done based on evaluation paths in the org tree. Structural authorizations should therefore only be used together with general authorizations. Just like the general authorizations in SAP ECC HR, they enable regulated access to data in time-dependent structures. An authorization profile is used to determine the authorization. In addition, it is defined how the search is carried out on the org tree.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
On RZ10.de the topic has been described in more detail including a video recording in the article "Creating Authorization Objects with SAP Transaction SU21".
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
For example, a verifier should have read access to all customising tables.