Detect critical base permissions that should not be in application roles
Implementing CRM Role Concept for External Services
Anyone who owns valuable personal property assumes responsibility for it - just like a landlord, for example. He decides whether changes need to be made to the building, whether privacy hedges need to be planted in the garden or whether superfluous old appliances need to be disposed of and, if necessary, has a new lock installed immediately if the front door key is lost. He may forbid visitors who are not relatives to enter the bedroom or the daughter to have a public party in the house.
Another option is to not assign the SAP_NEW permission to a user. For example, during the tests to be performed, both the development system and the quality assurance system will experience permission errors. These should then be evaluated accordingly and included in the appropriate eligibility roles for the correct handling of the transactions.
User Management
If you want to allow users to access only individual table rows, you can use the S_TABU_LIN authorization object, which allows access to specific rows of a table for defined organisational criteria. A prerequisite for this type of permission is that the tables have columns with such organisational values, such as the work, country, accounting area, etc. You must now configure these organisational values in the system as organisational criteria that represent business areas; serve as a bridge between the organisational columns in the tables and the permission field in the authorization object. Since the organisational criteria are found in several tables, this eligibility check need not be bound to specific tables and can be defined across tables.
Authorizations can also be assigned via "Shortcut for SAP systems".
At "www.sap-corner.de" you will also find a lot of useful information on the subject of SAP authorizations.
Such projects must be well planned and prepared.