Use Custom Permissions
Even if key users (department users/application support) do not have to develop their own authorization objects and cooperation with SAP Basis is always advantageous, there are often technical questions such as "Which users have authorization to evaluate a specific cost center or internal order?
In order for these FIORI apps/tiles and groups to be displayed, the corresponding authorizations must be made on the basis of a group and catalog assignment. These are assigned via specific groups, which in addition to the normal authorizations (such as create, change, display cost centers) also assign access to the appropriate FIORI Apps.
The AL08 transaction displays all logged-in users and their application servers. In the Server Name column, you can see which application server the user is logged on to, and which has the permission issue. Switch to this application server by calling the SM51 transaction and double-clicking the application server you are looking for. On the application server that is now active, run the permission trace as usual and review the evaluation.
Ensuring secure administration
The organisation of a company is represented in the SAP system. Keep an overview here to identify dependencies and control access permissions in an organisation-specific way. In customising, different organisational values are stored for the individual ERP components to enable an organisational mapping of the root and movement data. This mapping is required, among other things, to control access permissions or constraints. We will show you how you can get an overview of the well-maintained organisational units and see dependencies between the different organisational values.
You can maintain the SE97 transaction to determine whether or not a transaction should start at origin. The information in this transaction comes from the TCDCOUPLES table and is included. You have the possibility to amend or supplement the proposals listed here. When the CALL TRANSACTION statement is invoked, additional transaction code pairings are written to the TCDCOUPLES table by activating the authorisation trace through the auth/authorisation_trace profile parameter. The check mark indicates whether the test is carried out. By default, it is set to unkempt after performing the trace. If the check mark is set to YES, the transaction startup permission is performed with the S_TCODE object. If applicable, other permissions maintained by the SE93 transaction are also checked when the transaction is called.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
I'm sure you know this.
This also applies to every privilege and role.