Evaluation of the authorization check SU53
SAP systems: Control user authorizations with a concept
Transaction SU53 can be used to immediately display the missing authorizations for a single SAP user. This is advantageous when individual background processing or activities are not executed correctly and the cause is suspected to be missing authorizations. In this way, the cause of the error can be narrowed down more quickly.
You can use the function block level permission check by setting the FUNC value in the RFC_TYPE field in the S_RFC authorization object. If you still want to allow function groups, specify the value FUGR here. Depending on the RFC_TYPE field, type the name of the function block or group in the RFC_NAME field (name of the RFC object to be protected). This extension of the test is provided by the correction in SAP Note 931251.
Get an overview of the organisations and their dependencies maintained in the system
Remove improperly defined SAP Orgebene ($CLASS): This function deletes the $CLASS organisational level that was incorrectly delivered with the GRCPlug-in (Governance, Risk and Compliance). Use the test mode of the report to look at possible corrections in advance.
Both solutions offer you the added value of centralised reporting of existing users, newly created users, and role assignments. You can also extend the integrated workflows of both solutions to HANA permission applications. This enables you to use the risk analysis of the SAP Access Control solution also in relation to critical HANA permissions.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
These can be internal auditors, auditors or developers.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
In a new System Trace window, you can specify the evaluation criteria for the trace, such as the user using the Trace field only for users or the time period over which to record.