Use SAP_NEW correctly
SAP AUTHORIZATIONS: THE 7 MOST IMPORTANT REPORTS
Armed with this information, it goes to the conceptual work. Describe which employee groups, which organisational units use which applications and define the scope of use. In the description, indicate for which organisational access (organisational level, but also cost centres, organisational units, etc.) the organisational unit per application should be entitled; So what you're doing is mapping out the organisation. It is also important to note which mandatory functional separation must be taken into account. This gives you a fairly detailed description, which in principle already indicates business roles (in relation to the system).
In the only method of the BAdIs, CHANGE_ITEMS, programme the necessary checks, such as on specific data constellations or permissions. These can refer to all fields in the FAGLPOSX structure. You do this by specifying that all lines for which the test was not successful will be deleted during the execution of the method. This implementation of the BAdIs complements the Business Transaction Event 1650 described in the second example. You can also use the FB03 transaction to display receipts in the same way that you implement the FB03 filter. In this case, implement the required checks in the BAdI FI_AUTHORITY_ITEM.
Map roles through organisational management
Locking and validity of the user account is done through the user administrator and is also valid for other authentication procedures. This means that a login via SSO is not possible for an invalid user or a user with administrator lock. We therefore always recommend that you prevent access to the system by setting the validity of users. Setting validity on assigned roles also prevents the user from performing actions in the system, but does not generally prevent them from logging in.
The requirements for the architecture of authorization concepts are as individual as the requirements of each company. Therefore, there is no perfect template. Nevertheless, there are topics that should be considered in an authorization concept.
Authorizations can also be assigned via "Shortcut for SAP systems".
If a transaction is removed from the role menu, the default permission is deleted when mixing.
The role menu of the PFCG role now consists of folders that represent all logical links within a scope start page, and external services that represent the logical links and the area start pages themselves.