Permissions with Maintenance Status Used
The next step is to maintain the permission values. Here, too, you can take advantage of the values of the permission trace. When you switch from the Role menu to the Permissions tab, you will generate startup permissions for all applications on the Role menu and display default permissions from the permissions suggestions. You can now add these suggested values to the trace data by clicking the button trace in the Button bar. First, select the authorization object that you want to maintain. There can be multiple permissions for each authorization object. Then load the trace data by clicking the Evaluate Trace button. A new window will open again, where you can set the evaluation criteria for the trace and limit the filter for applications either to applications in the menu or to all applications. Once the trace has been evaluated, you will be presented with all checked permission values for the selected authorization object. With the Apply button, you can now take the values line by line, column by column, or field by field.
Permissions must have both identical maintenance status (default, maintained, modified, manual) and an identical active status (active or inactive). Exceptions represent changed permissions and manual permissions; these are summarised when the active status is identical.
SAP Authorizations - A Common Perspective of Developers and Consultants
Depending on your SAP NetWeaver release status, you must include SAP Note 1731549 or a support package. After that, it is no longer possible to create new users whose names consist only of variants of spaces or non-visible special characters. Changes to existing users are still possible. The customising switch BNAME_RESTRICT, also included in SAP Note 1731549, allows you to control whether you want to allow alternate spaces at certain locations of the user ID.
If RFC function modules are called via RFC connections (for example, from an RFC client program or another system), an authorization check is performed on authorization object S_RFC in the called system. This check checks the name of the function group to which the function module belongs. If this check fails, the system also checks the authorizations for the name of the function module. Configure this check with the auth/rfc_authority_check parameter.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
In the Programme Name column, you can see the programme that includes the Permissions Check.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
Over the course of time, many companies experience profound changes in the framework conditions that significantly influence SAP® authorization management.