You can still assign roles and profiles to a user if you have the appropriate permissions to these activities. As long as no user group is associated with the user, permissions for any user group will be sufficient. If you assign a user group to the newly created user, all the checks will be repeated for that user group.
Another important authorization object for background processing is the object S_BTCH_NAM, which allows a user to run the steps of a job under another user (see SM36 -> Edit step). Here, a name other than the user's own can be entered in the user field of a step. The prerequisite is that the job scheduler has an authorization for the object S_BTCH_NAM, which contains the name of the step user, and that the step user exists in the same client as the job scheduler itself. From 4.6C: The step user must be of type Dialog, Service, System or Communication.
Include customising tables in the IMG
Authorizations in a company are usually not assigned to individuals, but to roles. A role describes jobs or positions within the organization. One or more persons can hold a role and thus have the access authorizations assigned to the role. The authorization profile (the number of authorizations) of a role contains all authorization objects that are required to execute the transactions. By means of a profile generator (transaction PFCG) the creation of the authorization profile can be automated in SAP.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
First and foremost, legal principles must be stated and specific reference must be made to authorizations that are critical to the law and that may not be assigned (or at most may be assigned to emergency users). An example is the authorization "Debugging with Replace", to which the object S_DEVELOP with the values ACTVT = 02 and OBJTYPE = DEBUG legitimizes and over which data can be manipulated by main memory change. However, this would violate § 239 of the German Commercial Code, the so-called "erasure prohibition".
Authorizations can also be assigned via "Shortcut for SAP systems".
This simplifies the later maintenance in the IMG structure.
Before you can write a User-Exit in a validation, you have to make some preparations.