Critical authorizations
Deletion of change documents
Manual addition of authorization objects to roles is sometimes necessary. However, the start authorizations for actions should be generated into the role exclusively via the role menu. For the following evaluations the table AGR_1251 is used, in which to the roles the authorization objects with their values are stored.
The valid programmes or transactions are stored in the SAP TPCPROGS delivery table, but do not follow a uniform naming convention. Part of the transaction code (e.g. AW01N), part of the report name (e.g. RFEPOS00), or the logical database (e.g. SAPDBADA) is relevant here. Logical databases (e.g. SAPDBADA, SAPDBBRF) are basic data selection programmes and are particularly used in financial accounting. The permission checks, including the time period delimitation, are implemented in the logical database and work for all reports based on a logical database (e.g. the RAGITT00 grid is based on SAPDBADA and the RFBILA00 balance sheet report is based on SAPDBSDF). When you copy the values from the TPCPROGS table, the TPC4 transaction is quickly configured.
Full verification of user group permissions when creating the user
For simplicity, we want to explain this example by using the PFCG_TIME_DEPENDENCY background job. This job calls the report RHAUTUPD_NEW or can be executed directly with the transaction PFUD. Imagine that there's no transactional code for this job yet.
You can find the report RSUSR010 in the User Information System under the entry Transactions > Executable Transactions (all selections). You can run the report for users, roles, profiles, and permissions as described above. We will describe the evaluation for the users below (see figure next page above); for the other selection options, the operation of the report is analogous. The RSUSR010 report identifies all transactions that a user is allowed to start. In the list of executable transactions, you can then double-click on the transaction (for example, PFCG) to view the list of authorization objects and values for that transaction.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
The SAP standard already provides some tables for logging; For an overview of these tables, see SAP Note 112388 (tables requiring logging).
You will find the corrections and an overview of the required support packages in SAP Note 1963882.