Further training in the area of authorization management
If you have an older SAP NetWeaver release than 7.00 installed, only two possible values for the customising switch BNAME_RESTRICT are available after the implementation of SAP Note 1731549. The switch is NO, and you can switch it to ALL, so that the switch takes on the same functionality as in the higher releases.
If you want your own developments to meet your security requirements, just like the standard, you must assign table permission groups to the custom tables. Custom tables, or SAP standard tables that you want to protect in particular, belong to separate, if applicable, customer-specific table permission groups. If extensive permissions are to be granted for system administration or certain applications, this is done with the S_TABU_DIS authorization object for the table permission group. Since many standard tables do not have a table permission group assigned to them and therefore automatically end up in the table permission group &NC&, you should restrict access to this table permission group. For example, certain tables such as T000 (clients) are in a large table permission group (SS: RS: SAP control); therefore, it is better to restrict access via a separate table permission group. You should also always assign custom tables to a table permission group, otherwise they will also be assigned the table permission group &NC&. Therefore, we will explain below how you can create table permission groups and map tables.
If the changes to your SU24 data have not been detected with step 2a, or if you have imported transports from other system landscapes into your system, you have the option to reset the timestamp tables and start again. To do this, run the SU24_AUTO_REPAIR report in a system that is still at the state of the legacy release so that the modification flag is set correctly (see tip 38, "Use the SU22 and SU24 transactions correctly"). Subsequently, you create a transport and transport your SU24 data to the system, which is at the state of the new release. Now delete your timestamp tables. You can use the report SU25_INITIALIZE_TSTMP. Starting with SAP NetWeaver 7.31, you have the choice to set the reference time stamp from the SU22 data or delete the contents of the time stamp tables. You can then run Step 2a again.
In the beginning, the FI and CO modules were separated from each other. Both modules have been combined by SAP as higher-level modules in the accounting area. The main reason for this is the tight process structure, which enables a smooth transition between the two modules. As a result, SAP FI and CO now only appear as the joint module SAP FICO.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
Check to see if there are any corrective recommendations to follow for your release.
When accessing tables or views, the S_TABU_DIS authorization object is used to grant permission for a specific table permission group in the permission check.