System Users
Create order through role-based permissions
Today we come to the error analysis with authorizations. The best thing that can happen is the error of the type: "I don't have authorization to do this and that!" (CASE1). Worse is the case that someone has too many permissions, i.e. the type: "User xy should not have this permission anymore" (CASE2). How to proceed? First of all we come to case 1 This case, that someone has no authorization for something, supports the system excellently! The code word is SU53! If a transaction encounters an authorization error, then this error is written to a memory area that can be displayed. For this there is once the transaction SU53 or the menu selection "System/Utilities/Anc authorization check". With this function, the system outputs information showing which authorization objects are missing for the user.
Role selection for mass transport uses the default value help, which offers the Multiple Selection button. Thus, you no longer have to go through the Value Helper (F4) to perform multiple selection of roles, and the restriction of selected roles to the visible rows is eliminated.
Take advantage of roll transport feature improvements
Transaction SE63 allows you to translate a variety of text in the SAP system. You can find the texts relevant to the permission roles by going to the Translation > ABAP Objects > Short Texts menu. In the Object Type Selection pop-up window that appears, select the S3 ABAP Texts node and select the ACGR Roles sub-point. You can now select the role in the following screen. You must note that the system expects the client to be prefixed, and the next step allows you to maintain the chunk in the target language. The variable AGR_TEXTS 00002 corresponds to the description of the role and the variable AGR_HIERT_TEXT 00001 corresponds to the description of the transactions contained therein. After you have saved the entry, the description of the role is also maintained in the target language, in our example in the English language and visible after the login. Select the source language correctly in the field.
You know that changing your SU24 data involves mixing the roles in question. Previously, the permission administrators had to select roles from, for example, the SUIM transaction to edit them. Often, the remixing of the respective roles is also forgotten. In order to ensure that you can set the mixing mode for the respective roles directly when maintaining the data in the transaction SU24, the function has been provided here with the respective support packages named in SAP Note 1896191. Correction is used to change the mixing mode for PFCG: On/Off/Roles. The function assigns the shuffle mode to the roles, which corresponds to step 2c of the transaction SU25 (see tip 43, "Customise Permissions After an Upgrade"). You can enable this function by using the value Y for the parameter SU2X_SET_FORCE_MIX in the table PRGN_CUST. The status of the mixing mode can be checked by clicking the button Mixing mode for PFCG: Enquire On/Off. By default, this feature is off. The Roles button (Use in Single Roles) identifies all the roles that the selected application contains and displays them directly in the SU24 transaction. You will receive a list of all matching roles in the SUPC transaction by selecting the Also-to-be-matched roles option, and you can now gradually update the roles.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
Your system has inactive users? This is not only a security risk, as they often use an initial password, but also creates unnecessary licence costs.
You can use the report SU25_INITIALIZE_TSTMP.