Context-dependent authorizations
Use Central User Management change documents
Role selection for mass transport uses the default value help, which offers the Multiple Selection button. Thus, you no longer have to go through the Value Helper (F4) to perform multiple selection of roles, and the restriction of selected roles to the visible rows is eliminated.
You are using the SAP_ALL profile for interface users, and after upgrading to a new Support Package, do you get permission errors? While we cannot recommend using the SAP_ALL profile, we describe how you can resolve this problem in the short term. In newer SAP NetWeaver releases, the SAP_ALL profile no longer contains permissions for the S_RFCACL authorization object. This can lead to permission errors, such as for interface users who have the SAP_ALL profile assigned to them. Please note that we can only recommend using the SAP_ALL profile for absolute emergency users. Therefore, instead of applying this tip, you should preferably clear the permissions of your interface users. To learn how to do this, see Tip 27, "Define S_RFC permissions using usage data." However, such a cleanup of the privileges of your interface users cannot happen overnight. Therefore, we will explain how to resolve the issue in the short term.
Even if key users (department users/application support) do not have to develop their own authorization objects and cooperation with SAP Basis is always advantageous, there are often technical questions such as "Which users have authorization to evaluate a specific cost center or internal order?
For the ABAP stack, authorization profiles can be created either manually or by using the profile generator. However, the use of the profile generator is strongly recommended, since manual administration usually results in misconfigurations of authorizations. The profile generator guarantees that users only receive the authorizations assigned by their role. Concepts, processes and workflows must therefore be adapted to the use of the profile generator. There is no choice for the Java stack; here the J2EE authorization mechanism must be used. The User Management Engine offers options that go beyond the J2EE standard.
Authorization tools in the SAP GRC Suite ensure that every company can design a highly automated compliance management system that fits exactly. The majority of German companies with an SAP system do not yet use authorization tools. However, the use of SAP authorization tools is a great advantage for many companies. The extent to which the use of authorization tools makes sense depends on the size of a company.
Authorizations can also be assigned via "Shortcut for SAP systems".
When displaying or posting receipts in SAP Finance, are the standard eligibility checks insufficient? Use document validation, BTEs, or BAdIs for additional permission checks.
For details on the relevant support packages, see SAP Note 1891583.