In addition to these requirements, other settings can ensure that the transaction can be performed without verification: Verification of eligibility objects is disabled by check marks (in transaction SU24). This is not possible for SAP NetWeaver and SAP ERP HCM authorization objects, i.e. it does not apply to S_TCODE checking. The checks for specific authorization objects can be globally off for all transactions (in transaction SU24 or SU25). This is only possible if the profile parameter AUTH/NO_CHECK_IN_SOME_CASES is Y. In addition, executable transactions may also result from the assignment of a reference user; the reference user's executable transactions are also taken into account.
Now the structure must be filled "with life". To do this, you must first create meaningful subfolders in the customer's own structure. As already mentioned, these are mostly based on the SAP modules. Make sure that you also set your customising for additional add-ons, so that later the work of support organisations is easier. Call the transaction SOBJ. There, you create customising objects that will later be reused in your IMG structure. It is useful to name the object exactly as the corresponding table. This simplifies the later maintenance in the IMG structure. Here you also decide whether and how the tables can possibly be maintained in the productive system. To do this, select the appropriate entries in the Category and Transport fields and check the Current setting option. Repeat this for all custom customising tables that are still needed.
Use SAP_NEW correctly
Thanks to the new feature provided with the Support Package mentioned in SAP Note 1847663, it is possible to use trace data from the privilege trace in the SU24 transaction for suggestion value maintenance. The system trace that you can call through the ST01 transaction or the STAUTHTRACE transaction (see also Tip 31, "Optimise Trace Evaluation") is a short-term, client-dependent trace that you can restrict to users or applications.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
The default authorization roles of the new SAP system for consolidation and planning, SAP Group Reporting, are shown in the following graphic. It does not matter whether the system is accessed via the browser (Fiori Launchpad) or via local access (SAP GUI). The authorization roles shown in the graphic merely indicate the technical specifications preset by SAP. However, these can be used as a starting point and adapted accordingly after a copy has been created.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
This is required if you have entered a different table permission group when maintaining the table permission groups, for example, for the T000 table.
The handling of the emergency user should also be specified in the authorization concept, which should be documented in writing.