User Interface Client Permissions
THE "TOP SEVEN"
In the transaction SU01, enter a non-existent user ID and click the Create button (F8). The BAdI BADI_IDENTITY_SU01_CREATE is called with the new user ID. Implementation in the BAdI is running. For example, here you can read additional attributes to the new user from an external data source. The data collected within the BAdIs is written into the fields of the transaction SU01. This will show you the new user master set with the pre-filled fields. You can edit the user master record, such as assign roles, or change the pre-populated fields.
You can also evaluate the application log through the SLG1 (ATAX object) transaction; the output of the report CA_TAXLOG seems more useful here. Finally, we have some important information for you: There are individual programmes that can be used read-only, but also offer options for updates to the database. In these cases, additional logic was implemented (e.g. in SAP Note 925217 to the RFUMSV00 programme for the sales tax pre-reporting). Action log data can be accessed via the transaction SLG2 (Object: ATAX) (see also SAP Note 530733). If you want to customise for the annual permissions directly in the production system (so-called "current setting"), the SAP Note 782707 describes how to do this. Basic information about Current Settings is provided in SAP Notes 135028 and 356483. SAP Note 788313 describes in detail the functional components of the time-space test and the additional logging and also serves as a "cookbook" to use in customer-specific developments. How you can prevent access to the SAP menu and only show the user menu to the user, we described in Tip 47, "Customising User and Permissions Management".
Installing and executing ABAP source code via RFC
The high manual maintenance effort of derived roles during organisational changes bothers you? Use the variants presented in this tip for mass maintenance of role derivations. Especially in large companies, it often happens that a worldwide, integrated ERP system is used, for example, for accounting, distribution or purchasing. You will then have to limit access to the various departments, for example to the appropriate booking groups, sales organisations or purchasing organisations. In the permission environment, you can work with reference roles and role derivations in such cases. This reduces your administrative overhead for maintaining functional permissions and reduces maintenance work for role derivations to fit the so-called organisational fields. However, maintaining the organisational fields can mean enormous manual work for you, as the number of role derivations can become very large. For example, if your company has 100 sales organisations and 20 sales roles, you already have 2,000 role outlets. Here we present possible approaches to reduce this manual effort.
You use Central User Management and wonder why you still need to evaluate the licence data individually in the attached systems. This does not have to be the case, because a central evaluation is possible! There are licence fees for using SAP systems, and you need SAP licence keys. The amount of your licence costs will be determined during the current operation, depending on the number of users and the features used in the SAP software. The survey programme (transaction USMM), the results of which you transmit to SAP, serves this purpose. Not only the number of users is relevant, but also their classification, the so-called user types. You assign these to the user via the transaction SU01 or the transaction SU10 (Licence Data tab). Alternatively, you can let the user inherit the user type of a reference user or classify it via an associated role. This is done by analogy when you use the Central User Administration (ZBV). So far, there has been no central evaluation of the data of all systems connected to the ZBV. Now this has changed, and we'll show you how you can use this analysis.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
This means that all permission administrators must work exclusively with the new solution.
The evaluation of the licence data via the ZBV with the report RSUSR_SYSINFO_LICENSE provides a result list with the following contents: Contractual User Type - This column contains the actual local user types from the ZBV subsidiary systems.