Generic access to tables
Emergency user concept
In order to provide user authorisation support, you often need their information. However, there is also the possibility to view missing permissions centrally for all users. If a user has a permission issue, a ticket is usually displayed at support. However, it is difficult for a support worker to understand permissions errors because they have different permissions and are often missing detailed information about the application where the permission error occurred. In practice, therefore, support staff often help themselves by asking the user to send a screenshot of the transaction SU53. Because this transaction shows the last failed permission check. In many cases, however, the information displayed there is not helpful to the permission administrator. You may have seen that a screenshot from the SU53 transaction shows a missing permission for typical base authorization objects, such as S_ADMI_FCD, S_CTS_ADMI, or S_TRANSLAT, but you know that your check has nothing to do with the actual permissions problem in the application. So you need the opportunity to see for yourself.
Reference users are not intended to access an SAP system, but are used for authorisation administration and therefore always have a disabled password. Reference users inherit the permissions assigned to them to the users with whom the reference user is registered. For this purpose, the user buffer of the reference user is also created at login and these entries are also checked during permission checks of the inheriting user.
Search for user and password locks
In everyday role maintenance, you often have to change the permission data of a single role again after you have already recorded the role in a transport order along with the generated permission profiles. In this case, you have previously had to create a new transport order because the table keys of the generated profiles and permissions are also recorded for each individual role record, but are not adjusted for subsequent changes in the role data.
The SAP authorization concept protects transactions, programs, services and information in SAP systems against unauthorized access. Based on the authorization concept, the administrator assigns users the authorizations that determine the actions this user can perform in the SAP system after logging on and being authenticated.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
Not only the number of users is relevant, but also their classification, the so-called user types.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
The specifications for this should all be defined in the authorization concept documented in writing and must also be consistent with this.