Authorization concept of AS ABAP
Use SU22 and SU24 transactions correctly
Roles can be assigned to users directly through user management in the SU01 transaction, role maintenance in the PFCG transaction, or mass change of users in the SU10 transaction. However, if the employee changes his or her position in the company, the old roles must be removed and new roles assigned according to the new activities. Because PFCG roles are created to represent job descriptions, you can use organisational management to assign roles to users based on the post, job, etc.
In addition, you can also define customised permission checks in the SOS and also define combinations of authorization objects and their values. You can create up to 1,000 custom permissions checks in the Check ID namespace 9000 to 9999. You can also redefine whitelists for these permission checks, which apply to either individual or all of the customer's permission checks. The configuration is described in SAP Note 837490.
Lack of definition of an internal control system (ICS)
You want to document internal system revisions and authorisation monitoring? The new cockpit of the Audit Information System offers you some practical functions. There are several legal requirements that require a regular audit of your SAP system. As a general rule, there are internal and external auditors who carry out such audits. In addition, user and permission management can set up their own monitoring of permissions to avoid unpleasant surprises during audits. Auditor documentation is often standardised in the case of external auditors; for the internal audit or your own monitoring, however, in many cases a suitable documentation is missing. In spite of automated evaluations, external auditors often also demand an activation of the Audit Information System (AIS). We will show you how to activate the AIS and take advantage of the new AIS cockpit.
You can use authorization objects to restrict access to tables or their content through transactions, such as SE16 or SM30. The S_TABU_DIS authorization object allows you to grant access to tables associated with specific table permission groups. You can view, maintain, and assign table permission groups in transaction SE54 (see Tip 55, "Maintain table permission groups"). For example, if an administrator should have access to user management tables, check the permission status using the SE54 transaction. You will notice that all the user management tables are assigned to the SC table permission group.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
In these seven fields, you define what values you can enter on the tabs.
Also a problem is the increased administrative overhead of granting and managing permissions.