Debug ABAP programs with Replace
Set password parameters and valid password characters
Access to tables and reports should be restricted. A general grant of permissions, such as for the SE16 or SA38 transaction, is not recommended. Instead, parameter or report transactions can help. These transactions allow you to grant permissions only to specific tables or reports. You can maintain secondary authorization objects, such as S_TABU_NAM, in the Sample Value Care.
In Step 2b (Customised Proposal Values), you must manually adjust the entries that you manually changed in the SU24 transaction in the initial release. This will start the SU24 transaction in upgrade mode, and you can step by step through all applications and match the changes. If you have created custom organisational levels (ormits), you must restore them at this point using the PFCG_ORGFIELD_UPGRADE report. The report must be called for each organisational level. Only the organisation levels that you create are displayed through the Value Help. SAP Note 727536 lists questions and answers about the use of customer-specific organisational levels.
Conclusion and outlook
Over the button field maintenance also own-developed authorization fields can be created to either a certain data element is assigned or also search assistance or check tables are deposited. On RZ10.de the topic has been described in more detail including a video recording in the article "Creating Authorization Objects with SAP Transaction SU21".
The assignment of roles does not include any special features. Therefore, we only deal with the topics of time-space delimitation and logging. Time-space validation is implemented as an additional filter that runs after the usual permission checks. This additional filter logic works as follows: The first step is to check whether the user is entered in the tax verifier table (Table TPCUSERN, Configuration with the transaction TPC2). Only then will the further tests be carried out. If not, no additional checks will be carried out. The programme is then checked to see if it is included in the table of allowed programmes (table TPCPROG, configuration with the transaction TPC4). If the check is negative, the system cancels with a permission error. The time-space check is performed against the valid intervals in the table TPCDATA (configuration with the transaction TPC6). The time-space check works in context: In addition to the supporting documents of the audit period, older supporting documents are also included if they are still relevant for the audit period, such as open items that were booked in previous years but only settled in the audit period. Records that do not fall into the valid period according to the logic described above are filtered out.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
If the note is not implemented, use the USOBT_CD and USOBX_CD tables.
It forms a logical bracket around the extensions and thus provides a better overview.