RSUSR008_009_NEW
Authorization objects
This solution is only available via a support package starting with SAP NetWeaver AS ABAP 731 and requires a kernel patch. For details on the relevant support packages, see SAP Note 1891583. In principle, user login to the application server can then be restricted by setting the new login/server_logon_restriction profile parameter.
If you want to export the movement data of the productive system to a development system, you should first export user master records and the permission proposal values and archive the complete change documents. After importing, you can then delete the imported change documents, in analogy to the client copy, and then reload and index the original change documents of the development system. The activities described here require administrative permissions for the change documents (S_SCD0 and S_ARCHIVE) and, if applicable, for the table logs (S_TABU_DIS or S_TABU_NAM and S_ARCHIVE). These permissions should be considered critical, and you should assign them to a small circle.
Authorization concepts - advantages and architecture
Many companies are currently converting their current SAP systems from an ERP state to an SAP S/4HANA system. Through this conversion, many technical and also organizational components come upon the respective companies. The time factor for determining, organizing and implementing the necessary components should not be underestimated. The area of security is often neglected in thought, but can lead to major problems and possibly image-related damage - and resulting financial losses - in retrospect. For this reason, the implementation of a comprehensive authorization concept should be considered as early as possible in the project phase, as several components are intertwined here.
Reasons for incorrect organisational levels are values that have been manually maintained in the authorization object itself, instead of using the Origen button, as well as incorrect transports or incorrectly created or deleted organisational levels. Since correct inheritance can no longer occur in such cases, you need a way to reset incorrect values of the organisation levels in the PFCG roles.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
If you want to check custom fields, you must create your own permission fields in the transaction SU20.
Organisation levels ensure more efficient maintenance of the eligibility roles.