Permissions with status
Coordinate authorisation management in customer-owned programmes
The proposed values in the SU24 transaction are an imperative for the maintenance of PFCG roles, as these values are used when creating PFCG roles. The better these values are maintained, the less effort is required to maintain the PFCG roles (see figure next page). You may ask yourself in which cases it makes sense to adjust the proposed values, since they have such a large impact on the maintenance of roles.
When the auth/authorisation_trace parameter is turned on, external services are written to the USOBHASH table and permission checks are logged in the USOB_AUTHVALTRC table. You can now use the contents of this table to apply the checked objects and values from the trace to the suggestion values in the transaction SU24. Because it is a dynamic profile parameter, it is reset when the application server is launched. Now open the transaction SU24 and you will find your own UIK component as an external service. Double-clicking on this service will tell you that no suggestion values have been maintained there. You can apply these suggested values from the USOB_AUTHVALTRC table. Here you should at least maintain the UIU_COMP authorization object so that this information is loaded into the PFCG role as soon as you include the external service in your role menu.
Deletion of change documents
Check to see if there are any corrective recommendations to follow for your release. We recommend that you run the SU24_AUTO_REPAIR correction report before executing the transaction SU25 (see tip 38, "Use the SU22 and SU24 transactions correctly"). If necessary, run this report in the old lease, but in any case before importing the new proposal values. Use the test mode of the report to look at possible corrections in advance. In addition, to ensure that you do not lose information with your upgrade work, you can write and release the data from the SU24 transaction on step 3 (customer table transport) in the SU25 transaction to a transport order. This way, a backup of your SU24 data is made. Now the upgrade work can begin. Warning: Do not perform step 1 (customer tables were initially filled), because this overwrites the USOBT_C and USOBX_C customer tables, i.e. the SU24 data, completely with the SAP suggestion values. However, you want to keep your SU24 data and add to the proposed changes for the new release!
For table logging, it must be ensured that SAP® Note 112388 (tables requiring logging) is fully implemented and that all tables containing financially relevant data are also included in the logging. Of course, this also applies to all Z-tables! As last point of the important parameter settings are those for the definition of the password settings. Here, it should be ensured that the parameters are also set up in accordance with the company's specifications. However, the check should not only focus on the global settings that are valid for all users, but should also include all those users who have been assigned their own security policies. Especially for these, an appropriate justification must be available in writing.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
Therefore, the BAdI is also called during maintenance by the BAPI BAPI_USER_CHANGE.
Five years earlier, the number of cases was significantly lower - 23,562 cases - and have steadily increased from then on.