SAP Authorizations - A Common Perspective of Developers and Consultants
Consolidate user-level role mapping
Permissions in the Permission Tree with status are only deleted if the last transaction associated with the permission has been deleted from the Role menu. Delete and recreate the profile and permissions All permissions are created anew. Previously maintained, changed or manual values will be lost and deleted. The exception here is the values that are filled by the organisation levels.
You must set up a message class for later use. To do this, you will be prompted automatically when the transaction GGB0 is first called. If some relevant fields of the complete document are hidden, i.e. not available, please refer to the instructions in the SAPHinweis 413956. Set up validation in the GGB0 transaction (such as GALILEO) and determine the steps of validation. In the validation process, copy the RGGBR000 programme into your Customer Name Room, replacing the last three characters with the number of the client in which the validation will be performed. Then assign your new customer-owned programme with the GCX2 transaction to the GBLR user exit control workspace. This assignment has created the prerequisite for client-dependent user exits. If you want to set up a client-independent user exit, do the same, but use the transaction GCX1.
Know why which user has which SAP authorization
Starting with SAP NetWeaver 7.31, the Security Audit Log enables the complete display of longer event parameters in messages. To do this, the maximum storage space for variables in messages has been increased to 2 GB. To play this extension, you need a kernel patch. For the fixes and an overview of the required support packages, see SAP Note 1819317.
Suggested values are maintained in the transaction SU24 and delivered through the transaction SU22. Read more about the differences between these two transactions. Maintaining suggestion values via the SU24 transaction is useful if you want to reflect your own requirements or if the values provided by SAP do not meet customer requirements (see Tip 37, "Making sense in maintaining suggestion values"). These proposed values form the basis for the role maintenance credentials in the PFCG transaction. As you know, the suggested values provided by SAP are in the transaction SU22, which are delivered during reinstallation or upgrades as well as in support packages or SAP hints. What is the difference between transactions and how are they used correctly?
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
Here you should at least maintain the UIU_COMP authorization object so that this information is loaded into the PFCG role as soon as you include the external service in your role menu.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
We'll show you how it's easier.