Authorization concept - user administration process
System Users
Roles can be cut so that, for example, they only have display or change permissions. Furthermore, it could be differentiated between customising, master data and movement data maintenance.
You can use the function block level permission check by setting the FUNC value in the RFC_TYPE field in the S_RFC authorization object. If you still want to allow function groups, specify the value FUGR here. Depending on the RFC_TYPE field, type the name of the function block or group in the RFC_NAME field (name of the RFC object to be protected). This extension of the test is provided by the correction in SAP Note 931251.
Check current situation
Some queries are also a bit complicated with the SUIM transaction. With SAP Query, you can quickly assemble queries that enable individual and more complex data evaluations. Do you want to know quickly which valid users currently have a modified access to a particular table, or what roles are users granted permission for a particular transaction? The SAP standard tool, the user information system, is an excellent solution for this type of data retrieval. However, at the latest during the next review, targeted queries with data combinations - and thus several SUIM query sequences - must be delivered within a short time. SAP queries can facilitate this task. An SAP Query is essentially a clear way to scan tables for specific data away from the SE16 transaction. There is the possibility to link multiple tables (join), which makes multiple SE16 queries just one SAP query. For example, if you want to know what roles users are entitled to perform the SCC4 transaction, you can use the SUIM transaction to query to determine which users can perform the transaction and view the roles that enable it in another query, but there is no result that shows both.
In order to provide user authorisation support, you often need their information. However, there is also the possibility to view missing permissions centrally for all users. If a user has a permission issue, a ticket is usually displayed at support. However, it is difficult for a support worker to understand permissions errors because they have different permissions and are often missing detailed information about the application where the permission error occurred. In practice, therefore, support staff often help themselves by asking the user to send a screenshot of the transaction SU53. Because this transaction shows the last failed permission check. In many cases, however, the information displayed there is not helpful to the permission administrator. You may have seen that a screenshot from the SU53 transaction shows a missing permission for typical base authorization objects, such as S_ADMI_FCD, S_CTS_ADMI, or S_TRANSLAT, but you know that your check has nothing to do with the actual permissions problem in the application. So you need the opportunity to see for yourself.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
To have these ERP transactions available in SAP SCM, create a new PFCGE role in SAP SCM, e.g. ZS:XXXX:ERP_MENU.
This report not only gives you an overview of the table logging settings in the tables, but also allows you to select multiple tables for logging.