Do not assign SAP_NEW
When the FIORI interface is called up, different roles (Fiori groups) are associated with factually related FIORI tiles. As an example, here is the group Master Data in which the FIORI tile "Manage Cost Center" can be found.
In many distributed organisations, the Profit Centre is used to map out the distributed units. However, this was only possible for FI with additional programming. In integrated data flows in SAP ERP, the sending application usually does not check the authorization objects of the receiving application. Financial Accounting (FI) in SAP does not check permissions for cost centres and profit centres. However, depending on the case of use, this may be necessary, e.g. if distributed entities are to operate as small enterprises within the enterprise and only collect and view data for this particular unit at a time. With the introduction of the new general ledger, SAP has technically merged the financial accounting and the profit centre account, so that the question of the inclusion of profit centre allowances in FIs becomes even more important.
Permissions with status
To establish an efficient and consistent structure in the area of SAP authorization management, function-related role and authorization assignments are the be-all and end-all. In addition, the existing authorization concept must be constantly analyzed for changes and security-relevant errors through proactive monitoring. This prevents negative and highly security-critical effects on your entire system landscape. To make this task easier for you, Xiting provides you with a comprehensive analysis tool, the Xiting Role Profiler. In addition, you can perform a basic analysis in advance, which will also be the main focus of this blog. The goal is to show you SAP standard methods with which you can already independently optimize your authorization and role administration.
However, the permission trace is a long-term trace that you can turn on using the auth/authorisation_trace dynamic profile parameter. This trace is user- and client-independent. In the USOB_AUTHVALTRC table, the trace supplements the permissions checks that were not captured before the application ran. This function can also be used for customer-specific developments. Now, go to the RZ11 transaction, enter the auth/authorisation_trace parameter name in the selection box, and click View. You will now get to the detailed view of the profile parameter with all properties and the link to a documentation. To turn the trace on, click Change Value and a pop-up window will open. Enter "Y" or "F" for filters here if you want to define a filter (see Tip 38, "Use SU22 and SU24 transactions correctly") and save your input. A warning appears informing you that the parameter value would be reset when the application server is launched.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
After making your selection in the Usage Proof, all of the affected implementations will be tabulated.
A field that has not previously served as an organisational level can include such entries with different values within a role.