Authorization objects
Check current situation
Documents: The documents in the audit structure describe the audit steps. You can create them in accordance with your audit requirements. You can recognise documents by the symbol. Double-click on this icon to open the document.
You can limit the recording to a specific user. You can also use the trace to search only for permission errors. The evaluation is similar to the evaluation of the system trace in the transaction ST01. In transaction STAUTHTRACE, however, you can also evaluate for specific authorization objects or for specific permission check return codes (i.e. after positive or negative permission checks). You can also filter multiple entries.
Further training in the area of authorization management
In principle, the SAP_NEW permission should not be granted in the production system. The Profiles tab displays the generated profiles in the user master record that are associated with a specific user. Here you can also assign manually created permission profiles from the transaction SU02 - even without direct role mapping. In principle, the recommendation is to use the profile generator (transaction PFCG) to generate authorisation profiles automatically. Special caution is taken when you enter generated permission profiles directly on the Profiles tab, as these assignments will be deleted by matching user assignments with the transaction PFUD if no entry is on the Roles tab for the assignment. You have probably assigned SAP_ALL and SAP_NEW to users for whom there should be no restrictions in the SAP system. But what are these two profiles different from each other and why are they necessary?
Users can activate or deactivate processes without affecting other processes. For example, they can activate Succession & Development without affecting position management in Employee Central. With the help of the tool, users always know for what purpose a particular user has been given a particular permission. Basic authorizations, which are identical for every user, are only stored once in a platform role. This ensures that system performance remains optimal.
Authorizations can also be assigned via "Shortcut for SAP systems".
Depending on the requirements, the suggested values provided by SAP may be sufficient or need to be supplemented.
In this case, also note that the default user group will be assigned in the daughter systems if no user group has been distributed during the user's installation from the ZBV.