Do not assign SAP_NEW
Lock Inactive Users
The user administration process, i.e. user creation, modification and deactivation, should on the one hand be available in written documented form, either as a separate document or as part of the authorization concept documented in writing, and on the other hand also be carried out in accordance with the documentation. Therefore, a reconciliation should be performed on two levels: on the one hand, it should be ensured that the documentation is up to date and, on the other hand, it should be checked whether the process was also followed in the fiscal year to be audited. Possible deviations should already be prepared argumentatively, special cases can always occur that deviate from the actual process. However, these should be documented in a comprehensible manner so that an external auditor, such as the auditor's IT auditor, can check the plausibility. All documentation should be provided with the essential information (creator, date, version, etc.) and be in a format that cannot be changed (usually PDF). Additional documentation can also be output from the ticket system, provided that the process is consistently documented via the ticket system.
In the display image of your selected table, go to the Tools menu and select Assign Permissions Group. On the following image, you can then change the association with a table permission group or assign a new permission group. To do this, click the View/Modify button ( ) and enter your permission group in the Permission field.
Limit character set for user ID
Access to tables and reports should be restricted. A general grant of permissions, such as for the SE16 or SA38 transaction, is not recommended. Instead, parameter or report transactions can help. These transactions allow you to grant permissions only to specific tables or reports. You can maintain secondary authorization objects, such as S_TABU_NAM, in the Sample Value Care.
In the simulation overview you will now receive all the information you already know from the authorisation maintenance in the transaction PFCG. The results are presented in a table where each row corresponds to a value interval of a permission. The Object column specifies the authorization object. Use the Active/Inactive column to determine if the permission has been disabled. The Maintenance Status and Update Status columns provide information about the status of the permission and how the permission has been updated. In the Permissions Comparison column, you can find out what exactly changed on the permission, such as whether a permission has been deleted or added anew, or whether the field values in the permission have been updated. You can find information about the field values in the Value Comparison column, which shows whether values have remained the same, whether they have been added or deleted. The values that were actually deleted and added can be seen in the columns from Value to Value (see figure next page). Please note that this is only a simulation. You must still perform the actual mixing process in the permission maintenance. Because reel mixing is not only a factor in upgrade work, the transaction SUPC also provides the ability to call this simulation mode. In the overview of the selected rolls you will find the button Mix which simulates the mixing process.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
After that, you can activate the new functionality in Customising via this path: Finance (new) > Basic Financial Settings (new) > Permissions > Enable Profit Centre Permissions Check.
To do this, create an amendment in the system recommendations for the SAP hints to be implemented.