Equal permissions
Trace after missing permissions
Far more damage, however, can be caused by too extensive authorizations. For example, an employee may be authorized to access data for which he or she is not authorized. In the worst case, criminal activity can cause economic damage. To prevent this, an authorization concept must be in place that describes how authorizations are to be created and assigned to users.
Trace after missing permissions: Run the System Trace for Permissions (ST01 or STAUTHTRACE transaction) to record permission checks that you want to include in the role (see Tip 31, "Optimise Trace Evaluation"). Applications are logged through the Launch Permissions checks.
Map roles through organisational management
The SAP authorization default values are the basis for role creation and are also the starting point for SAP authorization management. For this purpose, the SU22 SAP authorization default values must be transported via SU25 into the customer-specific SU24 tables. The consistency of the default values should therefore be checked beforehand using the SU2X_CHECK_CONSISTENCY report. If inconsistencies exist, they can be corrected using the report SU24_AUTO_REPAIR. Detailed information regarding the procedure can be found in SAP Note 1539556. In this way, you can not only clean up your SU24 values, but at the same time achieve a high-performance starting position for role and authorization administration.
Authorizations can also be assigned via "Shortcut for SAP systems".
You can also find some useful tips from practice on the subject of SAP authorizations on the page "www.sap-corner.de".
In addition, user and permission management can set up their own monitoring of permissions to avoid unpleasant surprises during audits.