User Information System (SUIM)
Determine Permissions Error by Debugging
Structural authorizations work with SAP HCM Organizational Management. They primarily define who can be seen, but not what can be seen, based on evaluation paths in the org tree. Therefore, structural authorizations should only be used together with general authorizations. The determination works via a so-called authorization profile. In this profile, the evaluation paths are used to define how to search on the org tree. Function modules can also be stored, which can be used to determine objects from Organizational Management using any criteria. This makes the structural authorizations very flexible.
In both cases the transaction S_BCE_68001410 is started. Here you can search for an authorization object by authorization object, authorization object text, object class and other options.
Authorizations in SAP systems: what admins should look out for
You can disable this new behaviour for the SAP_ALL profile by setting the customising switch ADD_S_RFCACL to the value YES in the table PRGN_CUST. If the ADD_S_RFCACL entry is YES, SAP_ALL still contains the total permissions for the S_RFCACL authorization object.
In practice, the main problem is the definition of content: The BMF letter remains very vague here with the wording "tax relevant data". In addition, there is the challenge of limiting access to the audited financial years.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
The filter settings are used as the current configuration for each subsequent startup and should therefore always be maintained.
Are you already using BAPIs in user care? For example, you can use them to set up a password reset self service.