Customise Permissions After Upgrade
Best Practices Benefit from PFCG Roles Naming Conventions
In a redesign, we follow the principle of job-related workstation roles to technically map the job profile of the employees. To minimize the effort for the same job profiles with different organizational affiliations, the organizational units are inherited via an additional role. The separation of technical and organizational requirements greatly simplifies role development and modification. If certain people, such as team leaders, require extended authorizations, key user roles are developed for them, which extend the existing job role.
Thanks to the new feature provided with the Support Package mentioned in SAP Note 1847663, it is possible to use trace data from the privilege trace in the SU24 transaction for suggestion value maintenance. The system trace that you can call through the ST01 transaction or the STAUTHTRACE transaction (see also Tip 31, "Optimise Trace Evaluation") is a short-term, client-dependent trace that you can restrict to users or applications.
Include customising tables in the IMG
The organisation of a company is represented in the SAP system. Keep an overview here to identify dependencies and control access permissions in an organisation-specific way. In customising, different organisational values are stored for the individual ERP components to enable an organisational mapping of the root and movement data. This mapping is required, among other things, to control access permissions or constraints. We will show you how you can get an overview of the well-maintained organisational units and see dependencies between the different organisational values.
Tax reporting: The tax reporting system in SAP is based on the accounting area. The Profit Centre is not intended as a reporting unit here.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
The SPTH table allows you to protect the file system from ABAP programme accesses without granting permissions and to deliberately define exceptions.
The third line with PATH = /tmp/myfiles defines a permission group with FS_BRGRU = FILE, triggering the subsequent permission check on the S_PATH object.