Permissions and User Root Sets Evaluations
The SAP authorization concept
As with an SAP_NEW role, it is possible to generate an SAP_APP role. As with the SAP_APP profile, all permissions are included here, except the base permissions and the HCM permissions. The ability to create this role with the report REGENERATE_SAP_APP exists after inserting the SAP note 1703299. This report generates a role that is fully usable for all applications. However, we recommend using this role only for development and test systems.
If the FIORI interface is then used under SAP S/4HANA, the additional components must also be taken into account here. Authorizations are no longer made available to the user via "transaction entries" in the menu of a role. Instead, catalogs and groups are now used here. These are stored similar to the "transaction entries" in the menu of a role and assigned to the user. However, these catalogs must first be filled with corresponding tiles in the so-called "Launchpad Designer". It is important to ensure that all relevant components (tile component and target assignment component(s)) are always stored in the catalog. The FIORI catalog is used to provide a user with technical access to a tile. A corresponding FIORI group is used to make these tiles visually available to the user for access in the Launchpad.
Note the effect of user types on password rules
In a redesign, we follow the principle of job-related workstation roles to technically map the job profile of the employees. To minimize the effort for the same job profiles with different organizational affiliations, the organizational units are inherited via an additional role. The separation of technical and organizational requirements greatly simplifies role development and modification. If certain people, such as team leaders, require extended authorizations, key user roles are developed for them, which extend the existing job role.
With the new transaction SAIS, you will enter the AIS cockpit, where you will be able to evaluate the various audit structures related to the topic. When performing an audit, under Audit Structure, select one of the existing structures and select a check number in the appropriate field. Audit structures may be subject to different audits; Therefore, you must always select an audit first. To do this, select a verification number or create a new audit. After you select the audit, the audit tree will appear in the cockpit. You can now perform the individual steps of the audit along the definition in the audit tree.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
In the VARIANT column, you can simply use a sequential numbering.
For example, you can add subsidiary systems or release them from the ZBV.