Use table editing authorization objects
SAP Security Automation
How to maintain security policies and map them to your users is described in Tip 5, "Defining User Security Policy." You need a separate security policy for administrators to implement this tip, which is often useful for other reasons. In this security policy, you then set the policy attribute SERVER_LOGON_PRIVILEGE to 1. For example, you can also include the DISABLE_PASSWORD_LOGON policy attribute setting, because administrators often want to be able to log in with a password on the system.
The password lock is not suitable to prevent the login to the system, because it does not prevent the login via single sign-on. Learn how to safely lock the system logon. The SAP system distinguishes several reasons for blocking. Therefore, sometimes there is confusion when a user is still able to log on to the system, e.g. via Single Sign-on (SSO), despite the password lock. We explain the differences between locking passwords, locking and validity of user accounts, and validity of assigned permissions in the following.
Development
Now check the SY-SUBRC system variable. If the value is 0, the Permissions Check succeeded. If the value is 4, the test did not pass. At a value of 8, there is an inconsistency in the definition of the authorization object and the verification in the code - this should not happen! If the value is 12, the permission is not part of your permission buffer.
TMSADM: The user TMSADM serves the communication between SAP systems in the transport management system and is automatically created in the client 000 when they are configured. TMSADM only has the permissions to access the common transport directory, view in the change and transport management system, and the necessary RFC permissions. Safeguard measures: Change the user's passwords in each client. There is the report TMS_UPDATE_PWD_OF_TMSADM, which you have to start in the client 000. This is only possible if you have administrator privileges on all systems in the landscape and the password rules of the systems are compatible. After the report has been successfully passed, all TMSADM users of the landscape in the client 000 and their destinations have the same new password.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
Here, for example, push messages are displayed on the tile, or key figures, diagrams, etc.
For example, if you check what table permissions a particular user has based on the S_TABU_DIS authorization object, you will receive information about the table names, the associated table permission group, and the eligible activities.