Permissions with status
RSUSR008_009_NEW
An alternative to using the S_TABU_LIN authorization object is to create custom table views that make organisational delimitation easier to achieve. To do this, create a new view in the SE11 transaction and add the table to which the constraint will apply on the Tables/Join Conditions tab. The Selection Conditions tab allows you to specify your restrictive organisational condition in the form of a field and a field value. You then authorise all relevant users to access the view, which contains only data for your organisational restriction.
Of course, you can also use the data obtained with the permission trace (with filter for the S_DATASET authorization object) to express permissions on the object itself. In any case, you should also use the values obtained for the PROGRAM field. In this way, you exclude misuse by modified copies of ABAP programmes. This limitation of access programmes already represents a security gain, even if you do not want to restrict access to paths and files.
Extend permission checks for documents in FI
If the authorization objects also require permission fields, you can create them in the SU20 transaction. When creating a authorization object in the SU21 transaction, you first set a name and description for the authorization object, and then assign it to an object class. Then assign the necessary permission fields. If any of these fields are ACTVT, you can select all of the activities to be checked by clicking the Activities button. The navigation behaviour has been improved here a lot.
The customising objects you have just created are now integrated into your own IMG structure. To do this, open the SIMGH transaction again, call your structure in Change mode, and paste it under the previously created folder by selecting Action > Insert a Level Lower. You should already create a documentation of the same name with the installation of the Customising objects. To do this, select the Create button on the Document tab and write a text to save it and then activate it.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
Now check all permissions in all remaining profiles within the SAP_NEW summary profile that have a higher release level than the SAP_BASIS upgrade start release.
If no critical feature has been detected, the message"Programme RSUSR003 reports ›Security check passed‹"will be displayed instead.