Extend permission checks for documents in FI
Set up login locks securely
The context-dependent authorizations combine the general and structural authorizations and avoid situations like in the example above. The context-dependent authorizations can be separated so finely that a separation of functions can be made possible without any gaps. Basically, with context-dependent authorizations, the authorization objects are supplemented by structural authorization profiles. This means that authorizations are no longer assigned generally, but only for the objects in the authorization profile. The use of context-dependent authorizations means that the familiar P_ORGIN authorization objects are replaced by P_ORGINCON and P_ORGXX by P_ORGXXCON. The new authorization objects then contain a parameter for the authorization profile.
The SAP_NEW profile is basically designed to bridge the release differences in eligibility checks after an upgrade and ensure that the established business processes remain executable after an upgrade. The SAP_NEW permission should only be assigned temporarily and only in emergencies in a productive SAP system after an upgrade.
Check and refresh the permission buffer
No more users can be created, maintained or deleted without the assignment of a valid user group. If a user group is not assigned when a user is created, the user is automatically assigned the default user group. Before you set the USER_GRP_REQUIRED switch, a user group must have been assigned to each existing user and the administrators must have the permissions for the default user group. When creating a new user, the default user group will be used as pre-occupancy; this user group can be overridden by setting another user group in the S_USER_GRP_DEFAULT user parameter for each user administrator. The customising switch requires a valid user group, because it is used as the default user group. If a valid user group has not been entered in the customising switch, the user group is nevertheless a mandatory field. This will lead to errors in automated user creation.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
You can also find some useful tips from practice on the subject of SAP authorizations on the page "www.sap-corner.de".
This function can be disabled by customising.