Immediate authorization check - SU53
Always make sure you use the latest version of the Note Assistant. To do this, look for SAP hints about the BC-UPG-NA component in the system recommendations. We also recommend that you perform the security patch process as part of a release or support package upgrade to avoid additional testing by security advisories already released at the time of the upgrade.
Reference users are not intended to access an SAP system, but are used for authorisation administration and therefore always have a disabled password. Reference users inherit the permissions assigned to them to the users with whom the reference user is registered. For this purpose, the user buffer of the reference user is also created at login and these entries are also checked during permission checks of the inheriting user.
Solution approaches for efficient authorizations
Authorization object: Authorization objects are groups of authorization fields that control a specific activity. Authorization objects should always be defined in advance with the user group and then relate to a specific action within the system.
On the topic of SAP authorizations and SAP S/4HANA, I can recommend the SAP online course by Tobias Harmes as blended learning from Espresso Tutorials for SAP administrators, ABAP developers and people who are currently or will be dealing with SAP authorizations. The online course covers the following topics: - Introduction to the course - Why are SAP authorizations actually important? - How do SAP authorizations work technically? - Developing and maintaining roles - SAP Fiori authorizations/tile authorizations in S/4HANA - Developing authorization checks.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
When the auth/authorisation_trace parameter is turned on, external services are written to the USOBHASH table and permission checks are logged in the USOB_AUTHVALTRC table.
In addition, more information is available within the ABAP editor at each location.