Use application search in transaction SAIS_SEARCH_APPL
User Information System (SUIM)
The permissions in the NWBC are handled as well as in the normal SAP Easy Access menu. For example, you can assign transactions and Web Dynpro applications to the individual and collection roles in a defined menu structure in the Role menu. The navigation structure of the NWBC reflects the menu structure and settings of the corresponding PFCG role assigned to the user. The folder structure of the Role menu directly affects the navigation bar that is displayed to the user in the NWBC.
In addition to these requirements, other settings can ensure that the transaction can be performed without verification: Verification of eligibility objects is disabled by check marks (in transaction SU24). This is not possible for SAP NetWeaver and SAP ERP HCM authorization objects, i.e. it does not apply to S_TCODE checking. The checks for specific authorization objects can be globally off for all transactions (in transaction SU24 or SU25). This is only possible if the profile parameter AUTH/NO_CHECK_IN_SOME_CASES is Y. In addition, executable transactions may also result from the assignment of a reference user; the reference user's executable transactions are also taken into account.
Conclusion
Organisation levels ensure more efficient maintenance of the eligibility roles. You maintain them once in the transaction PFCG via the button Origen. The values for each entry in this field are entered in the permissions of the role. This means that you can only enter the same values for the organisation level field within a role. If you change the values of the individual fields in the authorization objects independently of the overarching care, you will receive a warning message that you will no longer be able to change this field by clicking the Ormits button and that this individual value will be overwritten when you adjust derived roles. Therefore, we strongly advise you not to carry out individual maintenance of the organisation level fields. If you adhere to this advice, as described above, there can always be only one value range for an organisation level field. For example, the combination of displaying all posting circuits and changing a single posting circle within a role cannot be implemented. Of course, this has implications if you want to upgrade a field to the organisation level. A field that has not previously served as an organisational level can include such entries with different values within a role. You must clean up these entries before you declare a field as an organisation level. In addition, the definition of a field as an organisational level also affects the proposed permissions values of the profile generator.
In the SU22 transaction, the developers of an application maintain the proposed values for all required authorization objects; the authorisation trace helps in this. As described in SAP Note 543164, the dynamic profile parameter auth/authorisation_trace of the trace is set to Y (active) or F (active with filter). By inserting the SAP Notes 1854561 or the relevant support package from SAP Note 1847663, it is possible to define a filter for this trace via the STUSOBTRACE transaction, which you can restrict by the type of application, authorization objects, or user criteria.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
A new window will open again, where you can set the evaluation criteria for the trace and limit the filter for applications either to applications in the menu or to all applications.
Every large company has to face and implement the growing legal requirements.