Deleting table change logs
Basic administration
New AP implementation, S/4HANA conversion or redesign of an SAP authorization concept - the complexity has increased enormously and requires a clear structure of processes, responsibilities and the associated technical implementation. New technologies such as Fiori and Launchpads are challenges and reasons to rethink authorization structures.
It should be noted, however, that the system writes all authorization errors of the user into the memory area of SU53. I.e. if there is a so-called double hit, i.e. several authorization errors occur, only the last error is always in this area. I prefer to have the user run the transaction until the error message "No authorization...", then use the menu to display the error, and send me a screen shot of the first page of output. This way I avoid that the user creates another authorization error when calling transaction SU53, which covers the original one. As a user administrator or role administrator, you can also call SU53 yourself and display the error entry of another user via the menu. However, this does not always work.
Authorization concepts in SAP systems
In contrast to storing passwords in the form of hash values, the user ID and password are transmitted unencrypted during the login of the client to the application server. The Dynamic Information and Action Gateway (DIAG) protocol is used, which may look somewhat cryptic but does not represent encryption. In addition, there is no cryptographic authentication between the client and the application server. This applies not only to communication between the user interface and the application server, but also to communication between different SAP systems via Remote Function Call (RFC). So, if you want to protect yourself against the access of passwords during the transfer, you have to set up an encryption of this communication yourself.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
If you want to know more about SAP authorizations, visit the website "www.sap-corner.de".
The corresponding CRM business roles have been configured to be associated with outbound plugs that are not required for the respective CRM business role scenario.