User group can be defined as required field
Authorization tools - advantages and limitations
Employees should only be able to access data relevant to their work, country or accounting area in tables? Set up organisational criteria to ensure this. Do you want users to be able to read or maintain specific tables, but only have access to the table contents that are relevant to them? The S_TABU_DIS and S_TABU_NAM permissions objects allow you to access the tables, but if you want a user to see or maintain only parts of the table, these authorization objects will reach their limits.
Once you have identified the organisational features to consider, verify that you can redesign the existing roles so that the organisational features can be clearly maintained by use. This leads you to a concept in which functional and organisational separation is simply possible. However, it will end up with a larger amount of roles: Roles posting/investing, changing roles, reading roles. Such a concept is free of functional separation conflicts and is so granular that the organisational characteristics can be pronounced per use area.
Use SAP Code Vulnerability Analyser
SAP NetWeaver 7.31 introduces a new method for determining affected applications and roles by timestamping (see tip 45, "Using the timestamp in the transaction SU25"). With the Support Package 12 for NetWeaver Release 7.31 and Support Package 4 for NetWeaver Release 7.40 from SAP Note 1896191, the Expert Mode function for taking SU22 data for step 2 has been added.
A typical application arises when a new SAP user is requested. The data owner now checks whether the person making the request and the person to be authorized are at all authorized to do so, what data would be affected, whether an SAP user already exists to whom new roles can be assigned and old ones revoked, whether data access can be limited in time, and so on.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
An alternative to using the S_TABU_LIN authorization object is to create custom table views that make organisational delimitation easier to achieve.
The security section of the ESC is the entry point for the evaluation of permissions; Therefore, it currently contains the following seven critical tests: Super User Accounts (accounts with the SAP_ALL permission profile), users with the Display all Tables permission, users with the Start all Reports permission, users with the Debug/Replace permission, users with the Display Other Users Spool Request permission, users with the Administer RFC Connections permission, users with the Reset/Change User Passwords permission.