System Security
Create permissions for customising
The handling of organisational levels in PFCG roles wants to be learned. If these are maintained manually, problems arise when deriving rolls. We will show you how to correct the fields in question. Manually maintained organisational levels (orgons) in PFCG roles cannot be maintained via the Origen button. These organisational levels prevent the inheritance concept from being implemented correctly. You can see that organisational levels have been maintained manually when you enter values via the Ormits button, but the changes are not applied to the authorization object.
For these scenarios, there are several ways to determine which systems and clients to display to the user in the self-service selection. We therefore describe a possibility that you can use in all scenarios. To do this, use the BAPI BAPI_USER_GET_DETAIL, which you must call for the SAP User ID on all relevant systems. Check the entry for the RETURN table parameter first. If the entry is empty, the user is present in the SAPS system. Any error messages during the call are displayed in this parameter (e.g. if the user is not present). If the PROFILES or ACTIVITYGROUPS table parameters have entries, permissions in this system are assigned to the user. In addition, you can use the REF_USER export parameter to identify a reference user that is associated with it. However, you must also check that it has permissions. You can also determine if a lock exists when you call the BAPI BAPI_USER_GET_DETAIL. To do this, use the ISLOCKED export parameter, which returns a four-character combination of the L (locked) and U (not locked) characters.
Determine Permissions Error by Debugging
If the authorization objects also require permission fields, you can create them in the SU20 transaction. When creating a authorization object in the SU21 transaction, you first set a name and description for the authorization object, and then assign it to an object class. Then assign the necessary permission fields. If any of these fields are ACTVT, you can select all of the activities to be checked by clicking the Activities button. The navigation behaviour has been improved here a lot.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
You can also find some useful tips from practice on the subject of SAP authorizations on the page "www.sap-corner.de".
These then correspond to your internal and external security guidelines.