Use Custom Permissions
This advanced functionality of the transaction SU53 is delivered via a patch. Please refer to SAP Note 1671117 for more information on the required support packages and technical background. Unsuccessful permission checks are now written to a ring buffer of the application server's Shared Memories. This will allow you to view failed permission checks in Web Dynpro applications or other user interfaces, which was not previously possible. Depending on the size of the ring buffer and system usage, up to 100 failed permissions checks per user can be displayed for the last three hours. The size of the ring buffer is calculated from the number of defined work processes. By default, 100 permission checks can be saved per workprocess. You can adjust this size using the auth/su53_buffer_entries profile parameter.
Documents: The documents in the audit structure describe the audit steps. You can create them in accordance with your audit requirements. You can recognise documents by the symbol. Double-click on this icon to open the document.
Implementing the authorization concept in the FIORI interface
Now, if a user attempts to execute a report (for example, by using the KE30 transaction), the user's permissions for that authorization object are checked. Therefore, you must adjust your permission roles accordingly. If the user does not have permission to access the object, his request is rejected. If it has a corresponding permission, the display will be restricted to the permitted area. Access is still allowed for all characteristics or value fields that are not defined as fields of the authorization object.
The SAP authorization default values are the basis for role creation and are also the starting point for SAP authorization management. For this purpose, the SU22 SAP authorization default values must be transported via SU25 into the customer-specific SU24 tables. The consistency of the default values should therefore be checked beforehand using the SU2X_CHECK_CONSISTENCY report. If inconsistencies exist, they can be corrected using the report SU24_AUTO_REPAIR. Detailed information regarding the procedure can be found in SAP Note 1539556. In this way, you can not only clean up your SU24 values, but at the same time achieve a high-performance starting position for role and authorization administration.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
These are stored similar to the "transaction entries" in the menu of a role and assigned to the user.
However, you should not turn on table logging for tables that are subject to mass changes, as there may be performance and disk space issues.