User group can be defined as required field
Basic administration
SAP Note 1707841 ships an extension to the system trace in the STAUTHTRACE transaction, which enables the permission trace to be used on all or on specific application servers. To select the application servers on which to start the trace, click the System Trace button. Now select the application servers in the list on which you want to run the system trace and start the trace with a click on Trace. In the evaluation of the Permission trace, an additional column named Server Name appears, showing you the name of the application server on which the respective permission checks were logged.
No external services can be added manually in transaction SU24. To do this, you must turn on a permission trace that takes over. You can enable the permission trace using the auth/authorisation_trace dynamic profile parameter. You can enable this parameter by using the transaction RZ11 (Profile Parameter Maintenance) by entering the value Y as a new value and selecting the Switch to All Servers setting.
Maintain table permission groups
If you want to use reference users and use the User menu, you should also ensure that users also see the role menus associated with reference users. To do this, enter the corrections in SAP Note 1947910. They include two switches for customising in the SSM_CUST table.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
You can also find some useful tips from practice on the subject of SAP authorizations on the page "www.sap-corner.de".
We have not found the simplification that only a user without permissions can definitely not have illegal permissions.