Create permissions for customising
In the transaction, select SU10 by login data of users
Over the course of time, many companies experience profound changes in the framework conditions that significantly influence SAP® authorization management. Not uncommon are subsequent requirements from the area of compliance (SOX or similar) or the increased need for protection.
When you start a report with the ABAP statement SUBMIT REPORT, the system checks the authorization object S_PROGRAM, provided that the program has been assigned to a program authorization group in transaction SE38. If this assignment is not sufficient for your system environment, you can define your own group assignment with the report RSCSAUTH. You must check this assignment after installing Support Packages or upgrades and reassign the reports if necessary.
SAP Authorization Trace - Simple Overview of Authorizations
Here I had to look for a moment at which point for SAP key users and not only for the SAP Basis in the SAP system an authorization is callable and may like to take this as an opportunity to write here in the article a few basics on the "anatomy" of SAP authorizations. To access the SAP system, the first thing you need is an SAP user ID (User). The user maintenance transaction SU01 (or SU01D) can be used to assign roles (from which profiles are derived) in addition to the (initial) password and personal data.
No more users can be created, maintained or deleted without the assignment of a valid user group. If a user group is not assigned when a user is created, the user is automatically assigned the default user group. Before you set the USER_GRP_REQUIRED switch, a user group must have been assigned to each existing user and the administrators must have the permissions for the default user group. When creating a new user, the default user group will be used as pre-occupancy; this user group can be overridden by setting another user group in the S_USER_GRP_DEFAULT user parameter for each user administrator. The customising switch requires a valid user group, because it is used as the default user group. If a valid user group has not been entered in the customising switch, the user group is nevertheless a mandatory field. This will lead to errors in automated user creation.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
You will find the corrections and an overview of the required support packages in SAP Note 1963882.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
Reference users are not intended to access an SAP system, but are used for authorisation administration and therefore always have a disabled password.