Rebuilding the authorization concept
Solution approaches for efficient authorizations
However, the permission trace is a long-term trace that you can turn on using the auth/authorisation_trace dynamic profile parameter. This trace is user- and client-independent. In the USOB_AUTHVALTRC table, the trace supplements the permissions checks that were not captured before the application ran. This function can also be used for customer-specific developments. Now, go to the RZ11 transaction, enter the auth/authorisation_trace parameter name in the selection box, and click View. You will now get to the detailed view of the profile parameter with all properties and the link to a documentation. To turn the trace on, click Change Value and a pop-up window will open. Enter "Y" or "F" for filters here if you want to define a filter (see Tip 38, "Use SU22 and SU24 transactions correctly") and save your input. A warning appears informing you that the parameter value would be reset when the application server is launched.
As an SAP SuccessFactors implementation partner, we are often confronted with complex authorization constellations. For sure: If a consulting company does not implement a process first and the "framework" is missing as a result, the existing SAP authorizations must be analyzed retrospectively and the underlying concept must be understood. Only then can the new process be meaningfully inserted into the authorization concept.
Permissions checks
Authorization objects are defined with the help of transaction SU21. Each SAP transaction is equipped with the required authorization objects in SU24, which control access to specific functions within the respective program. Standard programs / transactions of an ERP system are already equipped with these objects during the initial installation. The same applies to other platforms such as CRM or Solution Manager.
You may have special requirements that are necessarily to be included in the naming convention, such as when you define template roles in a template project that can be customised locally. You can identify this in the naming.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
In the default selection you have the option to specify for which model view, for which modifier (Modified by) and for which time period you want to view change documents.
Furthermore, it could be differentiated between customising, master data and movement data maintenance.