Use SU22 and SU24 transactions correctly
Copy values from the Clipboard to the transaction's PFCG permission fields
In most cases, customizing is performed using transaction SPRO. However, this is only the initial transaction for a very comprehensive tree structure of further maintenance transactions. Most customizing activities, however, consist of indirect or direct maintenance of tables. Therefore, a random check of the authorization structure in this environment can be reduced to table authorizations. In the case of delimited responsibilities within customizing (e.g. FI, MM, SD, etc.), attention should therefore be paid here to an appropriate delimitation within the table authorizations. Independent of assigned transaction authorizations within customizing, a full authorization on table level combined with a table maintenance transaction such as SM30 practically corresponds to a full authorization in customizing. Normal customizing by user departments generally refers to client-specific tables. Access to system tables should therefore be restricted to basic administration if possible.
Customer and vendor totals statements: The Customer or Vendor Accounting Sum. Rate Tables (KNC1/KNC3 or LFC1/LFC3) do not include the Profit Centre field. Therefore, authorisation control with regard to the profit centre is not possible for evaluations such as the customer and vendor balance lists (transactions FD10N or FK10N).
Making the RESPAREA responsibility the organisational level
Make your IMG projects more secure. We show you how to create customising permissions for individual projects or project views, thereby limiting access. With the SAP Implementation Guide (IMG), there is a tool that allows you to customise your SAP system to suit your business needs. You can manage access to projects in the IMG via customising permissions and thus limit the user circle. You grant the members of an SAP project team the permissions they need to support the project. Below we show you how to create customising permissions by mapping to the IMG projects.
We would like to point out that after defining and implementing a authorization object, you should no longer change the permission field list, as this will cause inconsistencies. Once you have determined that you want to add more fields to your check, assign your authorization object to the AAAA object class and create a new authorization object.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
You want to be able to filter the Post Journal Display (FAGLL03 transaction) or the display of documents in the FB03 transaction depending on the permissions granted, and thus exclude certain entries or documents from display.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
Redesigning authorizations when migrating to SAP S4/HANA or cleaning up existing authorizations on legacy systems - an efficient authorization and role concept is the basis for secure and functional operation of SAP systems.