Determine Permissions Error by Debugging
Use Central User Management change documents
A careless handling of the permissions with sensitive employee data can go quite nicely in the pants. Prevent uncontrolled and extensive reporting access to your HCM data by properly using the P_ABAP authorization object. In many companies, the correct use of P_ABAP is not known. As a result, there are often false expressions that, in the worst case, allow uncontrolled reporting access to all data in the logical database PNPCE (or PNP). This way, you can again erase your access restrictions, which were previously painstakingly defined in a permission concept. Therefore, it is necessary to test the use of P_ABAP in individual cases and to use the existing limitations. In the following we describe the logic behind this authorization object and what it is important to avoid.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
A universally applicable template for a reliable and functioning authorization concept does not exist due to the individuality and the different processes within each company. Therefore, the structures of the company and the relevant processes must be analyzed in detail during the creation process. Some core elements of the authorization concept to be created can be defined in advance. These include the overarching goal, the legal framework, a naming convention, clarification of responsibilities and process flows for both user and authorization management, and the addition of special authorizations. Only with clearly defined responsibilities can the effectiveness of a concept be guaranteed.
Define a user group as mandatory field in the user root
When you mix roles, either after upgrading or during role menu changes, changes are made to the permission values. You can view these changes as a simulation in advance. As described in Tip 43, "Customising Permissions After Upgrading," administrators may see some upgrade work as a black box. You click on any buttons, and something happens with the permissions in their roles. For example, if you call step 2c (Roles to be reviewed) in the SU25 transaction, all roles will be marked with a red light, which requires mixing based on the changed data from the SU24 transaction. Once you call one of these roles and enter the Permissions Care, the permission values change immediately. Using the Alt, New, or Modified update status, you can see where something has changed, but you cannot see the changed or deleted values. A simple example of how to play this behaviour without an upgrade scenario is changing the role menu. Delete a transaction from a test role and remix that role. You are aware that certain authorization objects have now been modified and others have even been completely removed, but can't all changes at the value level be replicated? Thanks to new features, this uncertainty is now over.
The customising parameters in the table PRGN_CUST control the password generator in the transactions SU01 and SU10. The values of the profile parameters override the customising parameter entries to prevent invalid passwords from being generated. If the value of a customising parameter is less than the value of the corresponding profile parameter, the default value of the customising parameter is drawn instead. The same is true if no value is maintained. You can exclude certain words or special characters as passwords by entering them in the USR40 table. In this table you can enter both specific passwords (e.g. your company's name) and patterns for passwords (e.g. 1234*). '*' stands for any number of additional characters (wild card) and '?' for any character. However, when maintaining the USR40 table, note that the number and type of entries affect performance.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
If such information is available from the past, it should be checked whether all topics have been implemented in accordance with the comments.
This is done by checking the S_TABU_CLI authorization object, which decides on maintenance permissions for client-independent tables.