Note the maintenance status of permissions in roles and their impact
ICS for business processes in SAP systems
A new transaction has been added to evaluate the system trace only for permission checks, which you can call STAUTHTRACE using the transaction and insert via the respective support package named in SAP Note 1603756. This is a short-term trace that can only be used as a permission trace on the current application server and clients. In the basic functions, it is identical to the system trace in transaction ST01; Unlike the system trace, however, only permission checks can be recorded and evaluated here.
Manual authorization profile - To minimize the editing effort when using manual authorization profiles, you usually do not enter individual authorizations in the user master record, but authorizations combined into authorization profiles. Changes to access rights take effect for all users whose user master record contains the profile the next time they log on to the system. Users who have already logged on are therefore not initially affected by changes.
Application Permissions
In this article, I show you with which transaction you can easily and quickly run the authorization trace in SAP ERP or SAP S/4HANA. The displayed result provides a good overview of the involved authorizations. In this course, existing roles and profiles in authorization management (transaction PFCG) can be extended. In addition, the authorization trace is useful for maintaining authorization default values (transactions SU22 and SU24).
Your compliance requirements specify that background jobs that are used should be maintained with permission proposals? We'll show you how to do that. Particularly in the banking environment, there are very strict guidelines for the permissions of background jobs used for monthly and quarterly financial statements, etc. Only selected users or dedicated system users may have these permissions. In order to clearly distinguish these permissions from the end-user permissions, it is useful to explicitly maintain the permissions for specific background jobs with suggestion values, so that these values can be used repeatedly to maintain permissions and are therefore transparent. You may have noticed that in the transaction SU24 you have no way to maintain background job credentials. So what's the best way to do that?
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
When your selection is complete, just exit the image with the green button.
In this example, we assume that the document is posted through an interface and that you want to check permissions for custom authorization objects and/or certain data constellations.