Ensuring secure administration
You can limit the recording to a specific user. You can also use the trace to search only for permission errors. The evaluation is similar to the evaluation of the system trace in the transaction ST01. In transaction STAUTHTRACE, however, you can also evaluate for specific authorization objects or for specific permission check return codes (i.e. after positive or negative permission checks). You can also filter multiple entries.
It should be noted, however, that the system writes all authorization errors of the user into the memory area of SU53. I.e. if there is a so-called double hit, i.e. several authorization errors occur, only the last error is always in this area. I prefer to have the user run the transaction until the error message "No authorization...", then use the menu to display the error, and send me a screen shot of the first page of output. This way I avoid that the user creates another authorization error when calling transaction SU53, which covers the original one. As a user administrator or role administrator, you can also call SU53 yourself and display the error entry of another user via the menu. However, this does not always work.
To create a authorization object, you must first select the result area and the form of the result invoice, whether calculating or accounting, for which you want to validate the authorization object. To do this, you must enter the name of the authorization object to be created and click the button (Next). You then set a text for the authorization object and select a maximum of ten permission fields for the object using the Fields button. Only a selection of the characteristics defined for the result area - and for the calculation of the result account also the value fields - is possible. You can now create different authorization objects for the key numbers and characteristics, or you can group the relevant fields into a authorization object. We advise you to define only one object with all relevant fields, as this will facilitate the maintenance of permissions. In our example, we created an accounting authorization object for the characteristics of the profit centre, distribution channel and work in the information system.
A separate programme - a separate permission. What sounds simple requires a few steps to be learned. Do you want to implement your own permission checks in your own development or extend standard applications with your own permission checks? When implementing customer-specific permissions, a lot needs to be considered. In this tip, we focus on the technical implementation of the authorisation check implementation.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
In order to nevertheless offer a procedure that is manageable and easy to handle, the SAP authorization concept was implemented on the basis of authorization objects.
Once you have archived the change documents from the User and Permission Management, you can use a logical index for change document properties to significantly improve performance.