SAP Authorizations - Overview HCM Authorization Concepts
Equal permissions
To make the most of the time stamping process, you should fill the time stamp tables in the legacy system before upgrading. Implement SAP Note 1599128. With this correction, the report SU25_INITIALIZE_TSTMP is delivered, which allows to write the current timestamps of your data from the transaction SU22 into the respective timestamp tables USOBT_TSTMP and USOBX_TSTMP. After the upgrade, you will have a reference date for your SU22 data, which you can use to compare with the SAP proposal data shipped for the new release. Setting the timestamps in the legacy release reduces the effort required to complete step 2a, because only those applications whose SU22 data has been modified are matched. If you have not filled the timestamp tables in the old release, the tables in your new release will be empty. In this case, in step 2a, the content of the SAP proposal values will be compared to the customer proposal values, regardless of a timestamp.
A new transaction has been added to evaluate the system trace only for permission checks, which you can call STAUTHTRACE using the transaction and insert via the respective support package named in SAP Note 1603756. This is a short-term trace that can only be used as a permission trace on the current application server and clients. In the basic functions, it is identical to the system trace in transaction ST01; Unlike the system trace, however, only permission checks can be recorded and evaluated here.
Note the effect of user types on password rules
Step 2d (Show Modified Transaction Codes) lists all roles that have been found to use an old transaction code. Sometimes, new transaction codes replace old transaction codes. In this step you have the option to exchange the transaction codes. Once you have completed the upgrade of the Eligibility proposal values, you will be given the option in Step 3 (Transport of the Customer Tables). Transport your permissions suggestions in your system landscape.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
The website "www.sap-corner.de" offers a lot of useful information about SAP authorizations.
To define table permissions in the PFCG transaction, it is not necessarily sufficient to specify the generic table display tools, such as the SE16 or SM30 transactions, in the role menu.