Customise Permissions After Upgrade
Trace after missing permissions
We now want to describe the necessary settings in the sending application using the example of encrypted sending of initial passwords. To implement this requirement, you can use the BAdI BADI_IDENTITY_UPDATE. This BAdI is also only available via a support package starting from SAP NetWeaver AS ABAP 7.31. For details on the relevant support packages, see SAP Note 1750161. To implement the BAdIs, use the transaction SE18; there you can also see the example class CL_EXM_IM_IDENTITY_UPDATE. For the BAdI BADI_ IDENTITY_UPDATE, you must implement the SAVE method to the IF_BADI_IDENTITY_UPDATE interface.
The first step in the cleanup process is therefore to find out whether the current authorization concept is sufficient and a cleanup is the best way forward, or whether a rebuild of the authorization concept is necessary. The focus should be on saving the current authorization concept, since rebuilding it takes more time than cleaning it up.
Use table editing authorization objects
You will need to adapt the template to your organisation's circumstances, i.e., probably define the certificate filing depending on the naming convention for your users and adjust the certificate verification. This verification of certificates ensures that no existing certificates are added in the template and that only one certificate is entered to an e-mail address. This check is necessary because sending an encrypted e-mail is cancelled if more than one valid certificate to an e-mail address is found. You can map mass imports of the certificates via this customer-specific programme. In addition, you will also need to define a way to manage certificates in your organisation, i.e. how to transfer changes to certificates to the SAP system.
The test for the assignment of the SAP_ALL profile is carried out in the SOS differently than in the EWA: If a user is found, assigned to SAP_ALL, and you have not entered it in the corresponding whitelist, it will still be hidden in the subsequent permission checks. Identified users will be output either through a complete list or through examples of specific users. In both cases, you can download the full list in the SAP Solution Manager's ST14 transaction. You can use the Check ID to map user lists to the permission checks. However, you should note that these lists do not contain the evaluations of the whitelists.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
This also applies to internal expiration procedures (such as background jobs) because you do not need to register a password.
Authorizations represent characteristics of authorization objects depending on the employee's activity and responsibility.