Define a user group as mandatory field in the user root
How to analyze roles and authorizations in the SAP system
The assignment of combinations of critical authorizations (e.g., posting an invoice and starting a payment run), commonly known as "segregation of duties conflicts," must also be reviewed and, if necessary, clarified with those responsible in the business departments as to why these exist in the system. If compensating controls have been implemented for this purpose, it is helpful if the IT department also knows about this so that it can name these controls to the IT auditor. The IT auditor can then pass this information on to his or her auditor colleagues.
SAP delivers authorization objects for Records and Case Management, which you can use to control access to records, cases, documents, and incoming mail items for individual organizational units in your organizational plan in conjunction with corresponding Customizing settings. SAP delivers predefined roles that contain clearly defined authorizations for the respective task areas of the employees. Among other things, these roles also contain the authorization objects for Records Management and Case Management. You can use the roles as a template for your own roles and adapt them to your requirements.
The first step to eliminating sprawl in permissions is to prevent it. To do this, administrators should obtain an overview and the assigned authorizations should be checked regularly. This helps to identify problems and incorrectly assigned authorizations at an early stage. The workload monitor can help here. This shows which authorizations users are actually using. The use of authorizations can be analyzed selectively and exported to tables. This also helps to improve existing roles and to create new roles for the authorization model in SAP.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
Applications use the ABAP statement AUTHORITY-CHECK in the source code of the program to check whether the user has the appropriate authorizations and whether these authorizations are defined appropriately, that is, whether the user administrator has assigned the values required by the programmer for the fields. In this way, you can also protect transactions that are indirectly accessed by other programs. AUTHORITY-CHECK searches the profiles specified in the user master record for authorizations for the authorization object specified in the AUTHORITY-CHECK statement. If one of the determined authorizations matches one of the specified values, the check was successful.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
As a result, a controller of a business unit, for example, can only view the consolidated figures of his business unit, but not the figures of the entire group.
Once the data in this table is available, you have the option to maintain the proposed values.