Architecture of authorization concepts
Get an overview of the organisations and their dependencies maintained in the system
However, the authorization trace is not active by default, but must be explicitly activated via the profile parameter "auth/authorization_trace". In transaction RZ11 you can easily and quickly check if the parameter is already set. The profile parameter is set in transaction RZ10. By default, the profile parameter is active in SAP systems (profile parameter transport/systemtype = SAP) and inactive in customer systems (profile parameter transport/systemtype = CUSTOMER).
However, the greatest advantage is the consistent use of reference users for performance. The use of reference users reduces the number of entries per user in the user buffer, i.e. in the USRBF2 table. This is because the entries in the user buffer only have to be stored once for the reference user and not more times for the inheriting users. This reduction in the table contents of the USRBF2 table will improve performance when performing eligibility tests.
Extend permission checks for documents in FI
Make sure that the client-independent tables for logging are always logged when the parameters are not set to OFF. In addition to the parameters listed here, the table itself must also have the table logging hook set; This is usually done with the help of the transaction SE13. The settings are made in development and then transported to the other systems. The SAP standard already provides some tables for logging; For an overview of these tables, see SAP Note 112388 (tables requiring logging). You can evaluate the logging settings of the tables using the RDDPRCHK report or the RDDPRCHK_AUDIT transaction in the SAP system. The selection is made in the start image of the report, e.g. via the table name or the selection of options for logging.
So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.
No more users can be created, maintained or deleted without the assignment of a valid user group. If a user group is not assigned when a user is created, the user is automatically assigned the default user group. Before you set the USER_GRP_REQUIRED switch, a user group must have been assigned to each existing user and the administrators must have the permissions for the default user group. When creating a new user, the default user group will be used as pre-occupancy; this user group can be overridden by setting another user group in the S_USER_GRP_DEFAULT user parameter for each user administrator. The customising switch requires a valid user group, because it is used as the default user group. If a valid user group has not been entered in the customising switch, the user group is nevertheless a mandatory field. This will lead to errors in automated user creation.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
In this profile, the evaluation paths are used to define how to search on the org tree.
You can maintain organisational units and posts and assign business partners with their user IDs.