ICS for business processes in SAP systems
Authorization check
These single roles can also be combined into composite roles. I recently discussed the special features of this in the article "SAP Authorizations Mass Maintenance Single Role Assignments in Composite Roles per Function Module (FuBa) or Transaction Code", but here I would rather discuss the roles and assignment of authorization object field values in role maintenance with the PFCG for an authorization overview.
Which applications have similar or identical features? Use application search to find out. Suppose you want to allow access to certain data for specific users or revisors. An auditor can usually view the contents of defined tables; However, in order not to give the auditor permission to use the generic table tools, such as the SE16, SM30 transactions, etc. , you need to verify that the relevant tables may be provided through other transactions. The actual function of the alternative application should not be used.
Permission implementation
For users for which no user type has been defined in the ZBV, either the default user type of the subsidiary system or the user type defined by the local measurement programme (transaction USMM) run is reported in the Contractual User Type column. In this case, no value is reported in the Value column in the control centre. If the user type has been defined via a local run of the surveying programme and this type of user is not stored in the ZBV, you should re-import the licence data for this user from the subsidiary system into the ZBV using the transaction SCUG. If there are users in the daughter systems for which the value in the columns of the Contractual User Type and Value in ZBV Central differ, either the IDoc of the ZBV has not yet been processed, or the user type has been changed locally. In these cases, you should check what the differences are and also correct them.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
You can also find some useful tips from practice on the subject of SAP authorizations on the page "www.sap-corner.de".
If you want to allow users to access only individual table rows, you can use the S_TABU_LIN authorization object, which allows access to specific rows of a table for defined organisational criteria.