Use table editing authorization objects
Rebuilding the authorization concept
The applications (transactions, Web-Dynpro applications, RFC building blocks, or Web services) are detected through their startup permissions checks (S_TCODE, S_START, S_RFC, S_SERVICE) and can be placed in the role menu of your role. In your role, go to the Menu tab and import these applications by clicking Apply Menus and selecting Import from Trace. A new window will open. Here you can evaluate the trace and view all recognised applications in the right window. To do this, click the Evaluate Trace button and select System Trace (ST01) > Local. In a new System Trace window, you can specify the evaluation criteria for the trace, such as the user using the Trace field only for users or the time period over which to record. Then click Evaluate.
Various activities, such as changes to content or the assignment of roles, are made traceable via change documents. This authorization should only be assigned to an emergency user.
Organisational allocation
The call to your implementation of the BAdIs is the last step in the process of storing user data. This applies to all transactions or function blocks that make changes to user data. Therefore, the BAdI is also called during maintenance by the BAPI BAPI_USER_CHANGE. You use this BAPI when you implement a password reset self-service as described in Tip 52, "Reset Passwords by Self-Service." This enables encrypted e-mail delivery of initial passwords within a self-service framework.
Once you have edited the role menu, you can customise the actual permissions in the PFCG role. To do this, click the Permissions tab. Depending on the quantity of external services from the Role menu, the authorization objects will appear. The authorization objects are loaded into the PFCG role, depending on their suggestion values, which must be maintained for each external service in the USOBT_C and USOBX_C tables. You can edit these suggested values in the SU24 transaction. Make sure that external services in the Customer Name Room also have the names of external services and their suggestion values in the tables maintained (see Tip 41, "Add external services from SAP CRM to the proposal values"). Visibility and access to external services is guaranteed by the UIU_COMP authorization object. This authorization object consists of three permission fields: COMP_NAME (name of a component), COMP_WIN (component window name), COMP_PLUG (inbound plug).
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
In the development and creation of authorization objects, some functionalities of the SAP hint are extremely helpful, which we present in this tip.
It is often overlooked that the critical S_RFC privilege object requires an analogue permission assignment.