Trace after missing permissions
Customise evaluation paths in SAP CRM for indirect role mapping
In addition to these requirements, other settings can ensure that the transaction can be performed without verification: Verification of eligibility objects is disabled by check marks (in transaction SU24). This is not possible for SAP NetWeaver and SAP ERP HCM authorization objects, i.e. it does not apply to S_TCODE checking. The checks for specific authorization objects can be globally off for all transactions (in transaction SU24 or SU25). This is only possible if the profile parameter AUTH/NO_CHECK_IN_SOME_CASES is Y. In addition, executable transactions may also result from the assignment of a reference user; the reference user's executable transactions are also taken into account.
The call to your implementation of the BAdIs is the last step in the process of storing user data. This applies to all transactions or function blocks that make changes to user data. Therefore, the BAdI is also called during maintenance by the BAPI BAPI_USER_CHANGE. You use this BAPI when you implement a password reset self-service as described in Tip 52, "Reset Passwords by Self-Service." This enables encrypted e-mail delivery of initial passwords within a self-service framework.
Authorization concepts in SAP systems
Now switch to User Care and you will find that this PFCG role is not yet assigned to your user. To do this, you must first perform the user master synchronisation. You can perform this manually via the transaction PFUD or schedule it as a job. The background job PFCG_TIME_DEPENDENCY or the report RHAUTUPD_NEW is intended for this.
The Security Audit Log now logs the table or view name and the scheduled activity of external table access via RFC connections; a new message type has been defined. You can find this fix and an overview of the required support packages in SAP Note 1539105.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
This allows you to see which permissions would be changed in the roles without actually doing so.
Authorization tools are only as good as the person using them.