Making the RESPAREA responsibility the organisational level
Using eCATT to maintain roles
If you want to understand how to run a permission check in your code, you can use the debugger to move through the permission check step by step. To implement your own permission checks, it may be helpful to see how such checks have been implemented in the SAP standard. In this tip, we show you how to view the source code of permission checks using the debugger in the programme, or how to get to the code locations where the permission checks are implemented.
You use the RSUSR010 report and you do not see all transaction codes associated with the user or role. How can that be? The various reports of the user information system (SUIM) allow you to evaluate the users, permissions and profiles in the SAP system. One of these reports, the RSUSR010 report, shows you all executable transactions for a user, role, profile, or permission. Users of the report are often unsure about what this report actually displays, because the results do not necessarily correspond to the eligible transactions. Therefore, we clarify in the following which data are evaluated for this report and how these deviations can occur.
Data ownership concept
All external services for cross-navigation are stored in the role menu in the GENERIC_OP_LINKS folder. In addition to this information, this folder also contains external services that represent the already mentioned area start pages and logical links. You can delete the latter, as these are duplicates from the other folders or non-relevant external services. Now, to set up correct permissions for the non-manageable external services in the GENERIC_OP_LINKS folder, you can identify the external services you need for your CRM business role and delete all other external services. However, as I said, there is a risk that too many external services will be deleted and cross-navigation or calling the saved searches will no longer work. It is better to move the GENERIC_OP_LINKS folder to a separate role.
How to maintain security policies and map them to your users is described in Tip 5, "Defining User Security Policy." You need a separate security policy for administrators to implement this tip, which is often useful for other reasons. In this security policy, you then set the policy attribute SERVER_LOGON_PRIVILEGE to 1. For example, you can also include the DISABLE_PASSWORD_LOGON policy attribute setting, because administrators often want to be able to log in with a password on the system.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
To do this, call your custom-created transaction and assign the necessary authorization objects either manually by using the Object button, or use the Permissions or System Trace to assign the permissions (see Tip 40, "Using the Permissions Trace to Determine Custom Permissions Proposal Values").
For example, the "old", or current, authorization concept must be analyzed, evaluated and, if necessary, fundamentally revised.