Set up permissions to access specific CO-PA measures
General considerations
The More node details area allows you to configure additional settings. For example, by activating the Default Page setting, the selected transaction (in our example MM03) is called first when the parent folder (in our example of the Material Stems folder) is retrieved. The Invisible setting means that the transaction is not visible in the menu, but can be called from a button.
There are several ways to view the implementation of permission checks: Either you jump directly from the system trace for permissions to the appropriate locations in the programme code, or you go over the definition of the authorization objects. To view the permission checks from the permissions system trace, start the trace from the STAUTHTRACE transaction and run the applications you want to view. Now open the evaluation of the Trace. In the Programme Name column, you can see the programme that includes the Permissions Check. Double-click to go directly to the code site where the permission check is implemented.
System Settings
Partners delivering their developments also maintain the proposed values for their applications in the transaction SU22. If customers are developing systems that supply other system landscapes than your system landscape and require different SU24 suggestion values per system, the proposed values in transaction SU22 will be maintained. The profile generator uses only the values of the transaction SU24 in your customer environment as a data base. To maintain the suggestion values, you can use both the System Trace data for permissions from the ST01 or STAUTHTRACE transaction and the data from the permission trace in the SU24 transaction (see Tip 39, "Maintain suggestion values using trace evaluations").
Communication users are also intended for use by people who log on to the SAP system from outside via RFC call. Therefore, dialogue is not possible. If the password is set by the administrator, it will be assigned Initial status. However, an RFC call does not prompt the user to change the password. It therefore often retains this status, even if the user has the possibility to change the password by calling a function block (then: Status Productive). The password rules apply to this type of user. However, this is often not noticed in practice, as password rules for initial passwords are less used.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
Now, to allow only certain external services, you can do the following: First, identify the external service using the permission trace.
Communication users usually use an initial password because a dialogue is not possible and the password is not changed.