Assignment of roles
Data ownership concept
Permissions profiles are transported in the standard (since release 4.6C) with the roles. If you do not want to do this, you have to stop the data export in the source system by the control entry PROFILE_TRANSPORT = NO. The profiles must then be created by mass generation before the user logs are matched in the target system. This can be done via transaction SUPC.
Alternatively, the maintenance of the authorization objects can also be called up via transaction SU21 (report RSU21_NEW). On the left side the individual classes and objects can be selected around then to the authorization object the existing authorization fields and short descriptions as well as over the button "documentation to the object indicate" also the documentation to the object to be called can.
Maintain authorization objects more easily
Finally, the check logic provides for a row-level check within a table if you want to restrict access to the table contents depending on an organisational mapping. For example, if you want a user to view only the data from a table that affects the country where their work location is located, you must configure it accordingly. To do this, you define and activate organisation-relevant fields as an organisational criterion (see Tip 62, "Organisationally restrict table editing permissions"). To keep track of which users can access which tables, run the SUSR_TABLES_WITH_AUTH report. This report provides information about which user or single role has the S_TABU_DIS or S_TABU_NAM authorization objects. The result list shows all the authorised tables, their permissions, and their permission values.
Have you ever wondered who has critical permissions in your system? Have you lacked the tool and approach to identify these users? The user system in an SAP system is always connected to a permission assignment. Over the life cycle of a user in the SAPS system, more and more permissions are accumulated if they are not withdrawn once they are no longer needed. This accumulation is bound to result in users being able to perform more actions than you would like as the permission administrator. To avoid this, we want to give you a suitable tool.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
Unlocking a user and assigning a new password is rarely done in real time, even with large 24-hour support service departments.
These user types control the login behaviour and also the impact of password rules on the user.