Query the Data from an HCM Personnel Root Record
SAP authorizations: Recommendations for setting up, monitoring and controlling
Giving permissions to specific functions that are called in SAP CRM through external services requires some preliminary work. Users working in SAP CRM use the SAP CRM Web Client to invoke CRM capabilities. For this to work smoothly, you must assign a CRM business role to the user, which provides all the CRM functionality necessary for the user. If the role should only allow access to certain external services, regardless of the customising (or only to the external services specified in the customising), it becomes a little trickier. All clickable elements in the SAP CRM Web Client, such as area start pages or logical links, are represented by CRM UI components. These UI components are, technically speaking, BSP applications. By clicking on such a component, the user gains access to certain CRM functions. These UI components are represented in the roles as external services. You must explicitly allow access to these UI components through PFCG roles, similar to the permissions for access to specific transactions.
Finally, you can extend your implementation of the BAdIs BADI_IDENTITY_SU01_CREATE and pre-enter additional fields of the transaction SU01. To do this, complete the appropriate SET_* methods of the IF_IDENTITY interface. For example, it is possible to assign parameters that should be maintained for all users, assign a company, or assign an SNC name.
Authorization roles (transaction PFCG)
Running the system trace for permissions gradually for each application server is tedious. We will show you how to record permission checks on multiple servers at the same time. If you want to use the System Trace for permissions in a system with multiple application servers, you should note that the Trace can only log and evaluate data per application server at any time. Therefore, if a permission error occurs, permission administrators must first check which application server the user is logged on to with the permission issue and then start the trace on that application server. We give you a guide to record permissions checks on certain application servers, but we also show you a way to use this feature centrally.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
If you want to know more about SAP authorizations, visit the website "www.sap-corner.de".
In the result list, you will find all parameter transactions that use the SE16 transaction as the calling transaction.