Grant permissions for SAP background processing
Authorization check
Administrative activities are used to control system behavior and make various security-relevant settings. To minimize the risk of a system failure or the creation of a security vulnerability, administrative rights should only be granted to employees in the basic administration. The following list may be supplemented by suggestions from the company's own administration. It contains only the most important authorization objects for each subject area.
Since a role concept is usually subject to periodic changes and updates, e.g. because new functions or modules are introduced or new organisational values are added, role names should be designed in such a way that they can be expanded. Therefore, in the next step, define the useful criteria you need in your role name.
User and authorization management
Conceptually, the user types Database User and Technical User are distinguished. Database users are users that represent a real person in the database. As soon as a Database User is deleted, all (!) database objects created by this Database User are also deleted. Technical users are users who perform technical tasks in the database. Examples include the SYS and _SYS_REPO users, which allow administrative tasks such as creating a new database object or assigning privileges.
Due to the changed suggestion values in the SU24 transaction, you must now perform step 2c (roles to verify) to update all roles affected by the changed proposal values. Role changes are only customised! You will get a list that shows all the roles you need to edit. If you have more than one client to maintain roles, you must also do this in the other client.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
We need a test configuration for this.
The requirements in the third example to filter the Post Journal Display (transaction FAGLL03) can be implemented using the BAdIs FAGL_ITEMS_CH_DATA.