Optimise trace analysis
Permissions profiles are transported in the standard (since release 4.6C) with the roles. If you do not want to do this, you have to stop the data export in the source system by the control entry PROFILE_TRANSPORT = NO. The profiles must then be created by mass generation before the user logs are matched in the target system. This can be done via transaction SUPC.
The following sections first describe and classify the individual components of the authorization concept. This is followed by an explanation of which tasks can be automated using the Profile Generator.
Authorization concept - user administration process
If you do not want to use reference users, you can hide the Reference User field for additional permissions via a standard variant for the transaction SU01. The necessary steps are described in SAP Note 330067.
The authorization objects are attached by analogy to the forecast and item-based reports. The authorization objects of the item-based reports are checked in addition to the authorization objects for the information system when the report is selected. There is a trick in maintaining the CO-PA-specific authorization objects, because a once selected result area is set for the entire session of your login. This is of course hindering the maintenance of authorization objects for different result areas. Therefore, simply change the result area in the Customising window using the following path: Controlling > Income and market segment accounting > Structures > Set result area.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
This mapping is defined as a customising setting and therefore remains in place after a release change.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
To implement your own permission checks, it may be helpful to see how such checks have been implemented in the SAP standard.