Architecture of authorization concepts
Error analysis for authorizations (part 1)
To do this, in the SU24 transaction, open the application you want to customise. To maintain the missing suggestion values, you can start the trace here by clicking on the button Trace. You can of course also use the system trace for permissions via the ST01 or STAUTHRACE transactions. A new window will open. Click here on the Evaluate Trace button and select System Trace (ST01) > Local. In the window that opens you now have the opportunity to restrict the trace to a specific user or to start it directly. To do this, enter a user who will call the application you want to record, and then click Turn on Trace. Now, in a separate mode, you can call and run the application you want to customise. Once you have completed the activities that you need permission checks, i.e. you have finished the trace, you will return to your application in the transaction SU24 and stop the trace by switching off the button trace. To perform the evaluation, click the Evaluate button. To obtain the trace data for each authorization object, select the authorization object you want to customise in the upper-left pane of the Permissions object drop-down list.
If you select the SU24 Data Initialisation button, step 1 is the same and you overwrite your SU24 data with the SU22 data for the selected applications. The Auto Sync selection corresponds to step 2a. All new SU22 data will be transferred to the transaction SU24. Modified SU24 data is detected and must be matched manually. However, this information is provided to you in the Determined Synchronisation Status column. If you want to keep your SU24 data as it is for certain applications, select the button Set Status"Verified". To give you more transparency about the impact of your activities, there is a role usage proof via the Roles button. This allows you to check the roles in which the selected applications are used. With the Change Preview selection, you can see which suggestion values would be changed for your selection in the transaction SU24.
SAP Security Concepts
If you do not see the Expert Mode button for step 2 in the SU25 transaction, check whether you can call the expert mode from the SU24 transaction by clicking the Sample Value Match button. In this view, it is possible to select the proposed values to be matched by specific selections, so that not all proposed values are used for matching. In the first selection, you can choose the data to take. You can select here whether only SAP standard applications or customer or partner applications should be considered. You can still limit the selection by type of application, package, or component shortcut in the Other Constraints pane. In the Application Search pane, you can also limit the SU22 data to an upload file, transport jobs, or role menus.
If a transaction is removed from the role menu, the default permission is deleted when mixing. However, this only applies if no further transaction requires this permission and therefore uses the same permission proposal. This applies to both active and inactive default permissions.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
A text file is now created under the appropriate path, containing the desired format with the input parameters.
When displaying or posting receipts in SAP Finance, are the standard eligibility checks insufficient? Use document validation, BTEs, or BAdIs for additional permission checks.