The SAP authorization concept
SAP Authorization Trace - Simple Overview of Authorizations
Ensure that permission checks are performed when reference users are assigned. The checks are performed on the permissions associated with the roles and profiles assigned to the reference user. These eligibility tests are also a novelty, which is supplemented by SAP Note 513694.
EARLYWATCH: The user EARLYWATCH only exists in the client 066, because it serves the remote maintenance by the SAP support. EARLYWATCH only has display rights for performance and monitoring functions. Safeguard measures: Lock down the user EARLYWATCH and only unlock it when requested by SAP Support. Change the password, assign it to the SUPER user group, and log it with the Security Audit Log.
Data ownership concept
Thus, after evaluation, you can select all SAP hints with the status to implement and load directly into the Note Assistant (transaction SNOTE) of the connected system. This is only possible for a development system and if the SAP Solution Manager can use an appropriate RFC connection to the connected system. You should also consider the security advisories that apply to applications that are installed on your system but that you do not use productively. These vulnerabilities can also be used for an attack.
The first step is to create an IMG project. You can create a new project or edit an existing project to create a customising role. To do this, call the SPRO_ADMI project management entry transaction. If a suitable project is not available, you can view the list of SAP customising activities. To do this, click the SAP Reference-IMG button or create a new project. To do this, select the Create Project button ( ) or the (F5) button. A new window will open, where you enter the project name. Note that you have a maximum of ten characters for the name. Once you have confirmed your input, a new screen will open. The General Data tab allows you to specify users, project managers, project times, and the language for the information texts.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
In addition, you may need to extend the permissions of the users in the RFC connections to the ZBV's subsidiary systems by the permissions to the S_RFC object with the SUNI and SLIM_REMOTE_USERTYPES function groups.
The call to your implementation of the BAdIs is the last step in the process of storing user data.