Compensating measures for segregation of duties conflicts
In addition, you must note that you may not execute this report on systems that are used as a user source for a Java system. This is due to the fact that a login to the Java system will only update the date of the last login to the ABAP system if a password-based login has taken place. Other Java system login modes do not update the date of the last ABAP system login.
In SAP systems you always have the possibility to integrate custom developments. In such extensions or your own programmes, you must implement permission checks and may also create your own authorization objects. You can also supplement authorisation checks in standard transactions if the existing checks do not cover your requirements.
Data ownership concept
At the latest, if it is no longer possible to clearly define which transactions should be included in which roles and which roles a user requires, a correction is necessary. It must be clear which rights are required for the individual tasks in the system.
The goal of an authorization concept is to provide each user with the appropriate authorizations in the system individually for their tasks according to a previously defined rule. For this purpose, an authorization concept must be defined as the foundation for efficient authorization assignment. In this way, each employee is given system access through the role-specific assignment of authorizations according to his or her tasks. On the one hand, this protects sensitive information and, on the other, prevents damage caused by incorrect use of data.
Authorizations can also be assigned via "Shortcut for SAP systems".
This reduces your administrative overhead for maintaining functional permissions and reduces the maintenance effort for role derivations to adapt the so-called organisational fields.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
The system checks direct access to the contents of tables, for example, with transactions SE16, SM30, or SE16N with authorization checks on a table authorization group, object S_TABU_DIS.