Authorization objects
Do not assign SAP_NEW
Alternatively, the maintenance of the authorization objects can also be called up via transaction SU21 (report RSU21_NEW). On the left side the individual classes and objects can be selected around then to the authorization object the existing authorization fields and short descriptions as well as over the button "documentation to the object indicate" also the documentation to the object to be called can.
Armed with this information, it goes to the conceptual work. Describe which employee groups, which organisational units use which applications and define the scope of use. In the description, indicate for which organisational access (organisational level, but also cost centres, organisational units, etc.) the organisational unit per application should be entitled; So what you're doing is mapping out the organisation. It is also important to note which mandatory functional separation must be taken into account. This gives you a fairly detailed description, which in principle already indicates business roles (in relation to the system).
Limit character set for user ID
Now the structure must be filled "with life". To do this, you must first create meaningful subfolders in the customer's own structure. As already mentioned, these are mostly based on the SAP modules. Make sure that you also set your customising for additional add-ons, so that later the work of support organisations is easier. Call the transaction SOBJ. There, you create customising objects that will later be reused in your IMG structure. It is useful to name the object exactly as the corresponding table. This simplifies the later maintenance in the IMG structure. Here you also decide whether and how the tables can possibly be maintained in the productive system. To do this, select the appropriate entries in the Category and Transport fields and check the Current setting option. Repeat this for all custom customising tables that are still needed.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
You can also find some useful tips from practice on the subject of SAP authorizations on the page "www.sap-corner.de".
After the report has been successfully passed, all TMSADM users of the landscape in the client 000 and their destinations have the same new password.