Map roles through organisational management
Object S_BTCH_ADM (batch administration authorization)
The next step is to maintain the permission values. Here, too, you can take advantage of the values of the permission trace. When you switch from the Role menu to the Permissions tab, you will generate startup permissions for all applications on the Role menu and display default permissions from the permissions suggestions. You can now add these suggested values to the trace data by clicking the button trace in the Button bar. First, select the authorization object that you want to maintain. There can be multiple permissions for each authorization object. Then load the trace data by clicking the Evaluate Trace button. A new window will open again, where you can set the evaluation criteria for the trace and limit the filter for applications either to applications in the menu or to all applications. Once the trace has been evaluated, you will be presented with all checked permission values for the selected authorization object. With the Apply button, you can now take the values line by line, column by column, or field by field.
Authorization: An authorization allows a user to perform a specific activity in the SAP system based on a set of authorization object field values. Authorizations allow users to perform actions within the system.
Eligibility proposal values
You can maintain the SE97 transaction to determine whether or not a transaction should start at origin. The information in this transaction comes from the TCDCOUPLES table and is included. You have the possibility to amend or supplement the proposals listed here. When the CALL TRANSACTION statement is invoked, additional transaction code pairings are written to the TCDCOUPLES table by activating the authorisation trace through the auth/authorisation_trace profile parameter. The check mark indicates whether the test is carried out. By default, it is set to unkempt after performing the trace. If the check mark is set to YES, the transaction startup permission is performed with the S_TCODE object. If applicable, other permissions maintained by the SE93 transaction are also checked when the transaction is called.
The permission checks are logged as part of the system trace in transaction ST01. It records all permission checks and validated permission values for a specific application server, and specifies, depending on the client, whether the permission checks were successful or not. The Trace display has now been improved (see also SAP Note 1373111).
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
Note that the PFCG transaction is actually executed, so the role is actually created in the system! In the SCC4 transaction, first check whether eCATT is allowed to run.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
The processes can be optimized again and again.