Check and refresh the permission buffer
Authorizations in SAP systems: what admins should look out for
If you have developed your own permission checks to use them in your own programmes or to make extensions to the SAPS standard, it is essential that you maintain the Z authorization objects as suggestion values for the respective applications. Thus, they do not have to be reworked manually in the respective roles. In addition, you have created a transparent way to document for which applications your customer's permissions are available. Last but not least, a well-managed suggestion value maintenance helps you with upgrade work on suggestion values and PFCG roles. This ensures that your changes and connections to the respective PFCG roles are retained and new permissions checks for the new release are added to the applications.
If you want to cancel, share, or reset other users' jobs to scheduled status, you must have permission for the S_BTCH_ADM object with a value of Y. Alternatively, you can also grant the JOBACTION = MODI and JOBGROUP = permission for the S_BTCH_JOB object. The MODI promotion was introduced with SAP NetWeaver AS ABAP 7.00 or can be recorded via SAP Note 1623250. The following illustration shows an example of how the JOBACTION = MODI privilege is expressed for the jobs of the users listed under JOBGROUP.
Authorization concept - user administration process
You can customise the AIS cockpit to your needs. To do this, use the customising that you will also find in the transaction SAIS under the button Administration of the audit environment. Select Configure Audit Cockpit and you can define a default audit structure, the maximum line length for log entries, and the number of log entries per audit step.
Ensure that permission checks are performed when reference users are assigned. The checks are performed on the permissions associated with the roles and profiles assigned to the reference user. These eligibility tests are also a novelty, which is supplemented by SAP Note 513694.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
The data owner now checks whether the person making the request and the person to be authorized are at all authorized to do so, what data would be affected, whether an SAP user already exists to whom new roles can be assigned and old ones revoked, whether data access can be limited in time, and so on.
The display of these settings, e.g. via the SCC4 or SE06 transactions, is not in itself critical; However, this has previously required permissions that are not usually assigned to the group of people just described.