Map roles through organisational management
Architecture of authorization concepts
In SAP systems you always have the possibility to integrate custom developments. In such extensions or your own programmes, you must implement permission checks and may also create your own authorization objects. You can also supplement authorisation checks in standard transactions if the existing checks do not cover your requirements.
Historically grown authorization structures can be found especially in system landscapes that have been in operation for a long time. Instead of small, modular, job-specific roles, existing roles are continually expanded and assigned to different employees in different departments. While this leads to less administrative work in the short term, it causes the complexity of the role to increase massively over time. As a result, the efficiency of authorization development is increasingly lost.
How to analyze roles and authorizations in the SAP system
By inserting SAP Note 1723881, you resolve the third of these problems by banning the recording of the same role on different transport orders. To enable this change in system behaviour, you must set the CLIENT_SET_FOR_ROLES customising switch to YES in the PRGN_CUST table. This toggles the setting in the SCC4 transaction for changing and recording custom customising objects ("Client modifiability") for role maintenance.
The SU10 transaction, as the user administrator, helps you maintain bulk user master records. You can now also select the user data by login data. You're probably familiar with this. You have blocked users, for example, so that a support package can be included. Some users, such as administrators, are not affected. For collective unlocking, you only want to select users with an administrator lock. The mass maintenance tool for users in the transaction SU10 is available for this purpose. This transaction allows you to select by user and then perform an action on all selected users. Until now, users could only be selected by address data and permission data.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
All settings described here can be made via the transaction SM30.
You can use the following reports: RSUSR_LOAD_FROM_ARCH_PROF_AUTH / RSUSR_LOAD_FROM_ARCHIVE.