Use table editing authorization objects
Maintain generated profile names in complex system landscapes
In SAP systems, authorization structures grow over the years. If, for example, there is a restructuring in the company or there are new organizations, there is a risk that the authorization concept no longer fits or is implemented correctly.
For result and market segment accounting, you can define planning authorization objects, the information system, and item-based reports of the information system. In the customising (transaction SPRO), you create them via the following path and then select the corresponding section. Controlling > Income and market segment calculation > Tools > Permissions management > CO-PA specific eligibility objects.
What are SAP authorizations?
If RFC function modules are called via RFC connections (for example, from an RFC client program or another system), an authorization check is performed on authorization object S_RFC in the called system. This check checks the name of the function group to which the function module belongs. If this check fails, the system also checks the authorizations for the name of the function module. Configure this check with the auth/rfc_authority_check parameter.
If it is clear that a cleanup is necessary, the first step should be a detailed analysis of the situation and a check of the security situation. Based on these checks, a redesign of the authorizations can be tackled.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
To avoid the password being unnecessarily transferred, it is better to initiate the despatch within your central SAPS system.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
It is not uncommon for developers to issue an authorization error of the type "No authorization for..." from their programs, but they have not checked this with a standard authorization check at all, so that the error is not an actual authorization error.