Context-dependent authorizations
Critical authorizations
In the beginning, the FI and CO modules were separated from each other. Both modules have been combined by SAP as higher-level modules in the accounting area. The main reason for this is the tight process structure, which enables a smooth transition between the two modules. As a result, SAP FI and CO now only appear as the joint module SAP FICO.
In particular, you can derive valuable information about customer transactions, since experience has shown that not all transactions are used. In this context, it is important to mention that you should only use the usage data logged and extracted from the SAP system for the optimisation of SAP role concepts. This information may only be used with the involvement of a co-determination body of your organisation, since this information can of course also be derived from individual users for performance control purposes. However, experience has shown that the use of these data with an early involvement of the institutions of codetermination and the definition of earmarks is uncritical.
Consolidate user-level role mapping
When assigning a new user group to a user, only the creation permission in the new user group is required. Alternatively, you can enable the check for activity 50 (Move) of the S_USER_GRP authorization object. In the USR_CUST table, set CHECK_MOVE_4_CNG_GRP to YES.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
Once you have logged in, the permissions associated with your user (via the user account) will be available. Each of your actions leads to the use of runtime versions of the corresponding objects. This also applies to every privilege and role. Runtime versions of rolls are not transportable in SAP HANA. However, in order to achieve a high quality in the development of your applications, you should use a system landscape with development system (DEV), quality assurance system (QAS) and productive system (PRD). To enable you to translate development results to QAD and PRD, SAP HANA Studio provides you with the opportunity to create objects in a (freely definable) Design Time Repository that you can provide and transport via Delivery Units to other systems.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
If you keep the necessary functional separations in place, you have already prepared them as a takeaway.
For example, if you call step 2c (Roles to be reviewed) in the SU25 transaction, all roles will be marked with a red light, which requires mixing based on the changed data from the SU24 transaction.