Limitations of authorization tools
General considerations
The RESPAREA field has a maintenance dialogue that allows you to enter areas of responsibility. The care dialogue is called as a building block and provides different tabs for input depending on the authorization object. Now, if you declare the RESPAREA field to be the organisation level, you must first set the display of the tabs for input in customising. To do this, you must add an entry to the KBEROBJ table that is independent of the client by using the SE16 transaction. In this entry, leave the first OBJECT field blank. The CURRENTOBJ field must be maintained because it defines the tab that will be displayed when the maintenance is called, i.e. the Default tab. If this field is blank, no startup image can be found and errors occur. The following fields determine the contents of the various tabs and should therefore also be maintained so that you can use RESPAREA as an organisational level. These are the OBJECT1 to OBJECT7 fields for the first to the seventh tab. In these seven fields, you define what values you can enter on the tabs.
Another function of this transaction is to find transactions based on generic table access transactions. Here you can check whether there are parameter or variant transactions for a given table, or for a particular view, for which you can set up permissions, instead of allowing access to the table through generic table access tools. If a search result is generated, you can even search for roles that have permissions for the selected alternative applications. To do this, click the Roles button (Use in Single Roles). When using this tool, make sure that even if applications have the same startup properties, there may be different usage characteristics, such as SU22 and SU24 transactions. Both transactions have the same start properties, but are used for different purposes and display different data.
BASICS FOR USING SAP REPORTS
If a user is assigned SAP_ALL, he has all permissions in an ABAP system. Therefore, particular care should be taken in the dedicated award of this entitlement. SAP_ALL can be generated automatically when you transport authorization objects. The SAP_ALL_GENERATION parameter must be maintained in the PRGN_CUST table.
A note box in which data of all kinds can be quickly filed and retrieved. This is what Scribble Papers promises. At first, the program looks very spartan. But once a small structure is in place, you realise the great flexibility of this little helper.
In order to be able to execute subsequent SAP standard reports, you need authorizations to access certain programs or reports and in the area of role maintenance. The transactions "SA38" and "SE38" for executing programs are of particular importance. They enable a far-reaching system analysis by means of certain programs for the end user. Additional rights associated with this, which can go beyond the basic rights of administrators, have to be controlled by explicit values in a dedicated manner.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
Therefore, the structures of the company and the relevant processes must be analyzed in detail during the creation process.
In general, however, you will need to translate a large number of role texts in these scenarios; Therefore, in the second section we will explain how you can automate the translation using the LSMW (Legacy System Migration Workbench) transaction and will discuss how to set up a custom ABAP programme.