Maintaining Authorization Objects (Transaction SU21)
General authorizations
With the help of the transaction SU22, the software developers can deliver their application with the appropriate authorization objects. After the transfer of the data from the transaction SU22 to the tables from the transaction SU24, the role developer may further process the proposed values with the transactions SU24 or SU25 for use in the transaction PFCG. Please also refer to the SPA 1539556.
With the Enhancement Package (EHP) 3 to SAP ERP 6.0, SAP has provided an extension of the eligibility tests in the FIN_GL_CI_1 Business Function, which allows the eligibility objects for profit centres to be tested in FI. You must first enable the FIN_GL_CI_1 Business Function in the Switch Framework (transaction SFW5). After that, you can activate the new functionality in Customising via this path: Finance (new) > Basic Financial Settings (new) > Permissions > Enable Profit Centre Permissions Check.
Define security policy for users
Communication users are also intended for use by people who log on to the SAP system from outside via RFC call. Therefore, dialogue is not possible. If the password is set by the administrator, it will be assigned Initial status. However, an RFC call does not prompt the user to change the password. It therefore often retains this status, even if the user has the possibility to change the password by calling a function block (then: Status Productive). The password rules apply to this type of user. However, this is often not noticed in practice, as password rules for initial passwords are less used.
Well-maintained suggestion values are extremely helpful for creating PFCG roles. We will give you a rough guide as to when it makes sense to maintain suggestion values. SAP provides suggested values for creating PFCG roles in the USOBT and USOBX tables via upgrades, support packages, or hints. These suggestion values include suggested values for permissions of SAP default applications that can be maintained in PFCG roles. Suggestion values are supplied not only for transaction codes, but also for Web Dynpro applications, RFC function blocks, or external services. You can customise these suggestion values to suit your needs. However, this does not happen in the supplied tables, but in the USOBT_C and USOBX_C customer tables. Care is carried out in the transaction SU24.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
We will now show you how to use the new features of the SAP NetWeaver Application Server ABAP to increase transparency in upgrading suggestion values and mixing PFCG roles.
Calling the SU56 transaction will cause you to parse the permission buffer, first displaying your own user's permission buffer.