Maintaining Authorization Objects (Transaction SU21)
Use Central User Management change documents
SAP_AUDITOR_TAX Collector Role: The SAP_AUDITOR_TAX collection role is made up of module-specific individual rolls and can be seen as a proposal for the read-only role of the tax inspectors (see SAP Note 445148 for details on this role). The transactions and reports included in the SAP_AUDITOR_TAX collection role have been expanded to include additional checks that define the audit period. Some of the transactions and reports included in the SAP_AUDITOR_TAX collection role have also been expanded to include a logging of the call parameters to allow the taxpayer to better understand the auditor's audit trades.
Each pass of the profile generator collects all the permission suggestions from the SU24 transaction to a transaction added through the role menu of the single role and checks the permissions to be added to the permission list. The following effect is to add transactions to a role when the added transaction is announced through the role menu of the role and various criteria are met.
User master data
The critical permissions are defined in these steps: On the Entry screen, select the Critical Permissions button. You will now see two folder pairs in the dialogue tree: - Critical Permissions > Critical Permission - Critical Permission > Permissions Data. In Change Mode in the lower folder hierarchy, double-click the Critical Permission folder, and then select New Entries. In the right-hand pane of the screen, enter the appropriate data for the Eligibility, Text, Colour, and Transaction Code fields. Save your input. When saving, you are asked for a customising job. Please specify it accordingly. Select the entry you just created and double-click to open the Permissions Data folder to maintain the permissions data. Then create a variant. To do this, double-click the Variants to Critical Permissions folder and select New Entries. Enter the name and description of the variant and save your input. Now assign the identifier of the created critical permission to the variant. To do this, select the variant and then double-click in the Variants subfolder to get critical permissions > critical permissions in the input mask. Now click on New Items and select your variant from the list - in our example ZB01. Then save your input. Finally, you can run your report variant with critical permissions. To do this, go back to the RSUSR008_009_NEW entry screen and select the critical permissions option in the variant name pane. Now use the Value Help to select and run the variant you just created.
The report PRGN_COMPRESS_TIMES provides a remedy. You can call it directly or in the edit mode of a PFCG role in the PFCG transaction via Tools > Optimise User Mapping.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
In total, there are the following three traces to authorization checks: 1) Authorization trace (transaction STUSOBTRACE) 2) System trace (transaction ST01 or STAUTHTRACE) 3) User trace (transaction STUSERTRACE).
This makes it possible to see how which positions are linked to each other.