User group can be defined as required field
Structural authorizations
A universally applicable template for a reliable and functioning authorization concept does not exist due to the individuality and the different processes within each company. Therefore, the structures of the company and the relevant processes must be analyzed in detail during the creation process. Some core elements of the authorization concept to be created can be defined in advance. These include the overarching goal, the legal framework, a naming convention, clarification of responsibilities and process flows for both user and authorization management, and the addition of special authorizations. Only with clearly defined responsibilities can the effectiveness of a concept be guaranteed.
The evaluation of the licence data via the ZBV with the report RSUSR_SYSINFO_LICENSE provides a result list with the following contents: Contractual User Type - This column contains the actual local user types from the ZBV subsidiary systems. Value in Central - This column contains the central user type from the ZBV that is stored for the respective subsidiary system to the user.
Sustainably protect your data treasures with the right authorization management
A careless handling of the permissions with sensitive employee data can go quite nicely in the pants. Prevent uncontrolled and extensive reporting access to your HCM data by properly using the P_ABAP authorization object. In many companies, the correct use of P_ABAP is not known. As a result, there are often false expressions that, in the worst case, allow uncontrolled reporting access to all data in the logical database PNPCE (or PNP). This way, you can again erase your access restrictions, which were previously painstakingly defined in a permission concept. Therefore, it is necessary to test the use of P_ABAP in individual cases and to use the existing limitations. In the following we describe the logic behind this authorization object and what it is important to avoid.
If the system trace has recorded permission data for this authorization object, it will appear in the right pane of the window. In the left pane, you can see the existing suggestion values. If you notice that you do not have any suggestion values that you think are necessary and have been recorded by the trace, you can set the suggestion values to Yes by selecting the appropriate row, column or field in the right pane and clicking the Apply button. You are free to make any manual adjustments to the field values. Afterwards, confirm maintenance and your changes are saved for this authorization object. Do the same for all other authorization objects.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
You can now add these suggested values to the trace data by clicking the button trace in the Button bar.
You will notice, however, that the displayed services represent only a small part of the external services in the role menu.