Note the effect of user types on password rules
Limitations of authorization tools
For simplicity, we want to explain this example by using the PFCG_TIME_DEPENDENCY background job. This job calls the report RHAUTUPD_NEW or can be executed directly with the transaction PFUD. Imagine that there's no transactional code for this job yet.
The handling of organisational levels in PFCG roles wants to be learned. If these are maintained manually, problems arise when deriving rolls. We will show you how to correct the fields in question. Manually maintained organisational levels (orgons) in PFCG roles cannot be maintained via the Origen button. These organisational levels prevent the inheritance concept from being implemented correctly. You can see that organisational levels have been maintained manually when you enter values via the Ormits button, but the changes are not applied to the authorization object.
What are the advantages of SAP authorizations?
See SAP Note 1763089 for information on the system requirements and support packages you need to access the new feature. With these support packages the transaction SAIS, the new AIS cockpit, is delivered. The AIS has thus been switched from the previous role concept to thematic audit structures and offers new functions, such as logging all audit activities. The AIS has existed in the SAP system for quite a long time; It is designed as a tool for testing and evaluating SAP systems and is delivered by SAP ERP to the standard. It includes the function of audit structures, a collection of audit functions on the areas of commercial audit and system audit, including their documentation. The commercial audit includes organisational overviews and balance sheet and process orientated functions. For example, this allows you to evaluate information about financial accounting and tax receipts. The AIS system audit covers general system audits and analysis of users and permissions. For example, it includes functionality to check profile parameters or transport.
You can assign a Table or Care View to a table through the SE11 transaction or SE54 transaction. This mapping is defined as a customising setting and therefore remains in place after a release change. You can assign a table to a table permission group by using the SE11 transaction by selecting your table in the start image and pressing the Display button.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
In this case, you have previously had to create a new transport order because the table keys of the generated profiles and permissions are also recorded for each individual role record, but are not adjusted for subsequent changes in the role data.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
You can exclude certain words or special characters as passwords by entering them in the USR40 table.