Maintain transaction start permissions on call CALL TRANSACTION
Checking at Program Level with AUTHORITY-CHECK
You have an organizational structure that includes 4 hierarchical levels - authority, department, unit, functional area). The authorization concept in your organization states that access (processing) to Records Management objects should be allowed for an employee only within his/her own organizational unit. However, the authorization check should only take place on three levels. So if a unit is subdivided into further functional areas, all employees of the unit and the functional areas should have the same authorizations. Since department 2 and department 3 work very closely together, employees of department 2 should be able to read all files, transactions and documents of department 3 and vice versa.
A red symbol will not be used in the eligibility tests in the EEA, as the rating has to be carried out individually for each enterprise. There are also different requirements within the system landscape, e.g. on production or development systems. The EWA is deliberately not customisable, as it is designed to alert customers to SAP-rated settings.
As a role developer, you can now select the specific application in the PFCG transaction from the list of web dynpro applications published by the software developers on the Menu tab and enter it in the Role menu. To generate the role profile, switch to the Permissions tab. There you can check the concrete value expressions of the S_START permission fields and, if necessary, the additional relevant authorization objects for this Web application and supplement them if necessary. Finally, you must generate the role profile as usual.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
As a result, you will get an advanced IMG structure, in our example FF Log settings, which you can access via the transaction SPRO. Finally, you could use the transaction COAT (see SAP Note 1089923) to assign additional attributes to your own tables and reports, for example. For example, this could be relevant for the tax audit and final reports or performance critical.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
In the following example, the MODELING role includes permission to use the _SYS_BI object with the EXECUTE, SELECT, INSERT, UPDATE, and DELETE privileges.
The authorization check for the authorization objects PS_RMPSORG and PS_RMPSOEH runs as follows following a user entry: The system determines the organizational unit to which the user is assigned.