Concept for in-house developments
After creating a authorization object, you should do the following: Make the permission check implementation at a convenient location in your code. Maintain the proposed values for the application in the transaction SU24. Re-load the role in the PFCG transaction if the application has already been rolled. If it is a new application, adjust the roles by including the new application in the Role menu, and then maintaining the permissions of the authorization objects loaded into the role by the suggestion values.
For each form of automated derivative of roles, you should first define an organisational matrix that maps the organisational requirements. To do this, you must provide data on each organisation in a structured form.
ACCESS CONTROL | AUTHORIZATION MANAGEMENT FOR SAP®
A note on the underlying USKRIA table: This table is independent of the client. For this reason, you cannot maintain this table in systems that are locked against cross-client customising. In this case, you should create a transport order in the development system and transport the table to the production system.
The password lock is not suitable to prevent the login to the system, because it does not prevent the login via single sign-on. Learn how to safely lock the system logon. The SAP system distinguishes several reasons for blocking. Therefore, sometimes there is confusion when a user is still able to log on to the system, e.g. via Single Sign-on (SSO), despite the password lock. We explain the differences between locking passwords, locking and validity of user accounts, and validity of assigned permissions in the following.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
Double-clicking on a authorization object will direct you to the authorization object definition, and double-clicking on the transaction will direct you to the programme location where the permission check is performed.
In many cases, however, the information displayed there is not helpful to the permission administrator.