Sustainably protect your data treasures with the right authorization management
Coordinate authorisation management in customer-owned programmes
Careful maintenance of suggestion values in the relevant authorization objects results in recurring benefits in creating and revising roles for Web applications. In addition, the SU25 transaction supports role post-processing in the context of SAPUpgrades.
You can use the previously created organisational matrix to either mass create new role derivations (role derivation) or mass update role derivations (derived role organisational values update). For both scenarios, there are separate Web-Dynpro applications, in which you must select the corresponding reference roles.
What to do when the auditor comes - Part 2: Authorizations and parameters
If you do not maintain the values or set them to a value other than YES, the role menus of the reference user will not be taken into account when setting up the user menu. The two switches are system-wide; It is therefore not possible to define a specific shape for the client. If you set both switches to YES, you will not be able to tell from the user menu entries whether they are from the reference user's or user's role menus. Reference users have another benefit: You can also use it to inherit the contractual user type. A user inherits the classification of the reference user if they do not have any other role or profile mappings with classification, or if they have not been classified manually.
Additional checks should be performed on document transactions in specific processes. This may be necessary, for example, when booking via interfaces in customer-owned processes, if the booking is to be possible only under certain conditions or on certain accounts.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
In such extensions or your own programmes, you must implement permission checks and may also create your own authorization objects.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
Once you have defined your criteria for executing the report, you can create different variants for the report and schedule corresponding jobs to automatically lock down or invalidate the inactive users.