Check the SAP authorization concept
Check for permissions on the old user group when assigning a new user group to a user
In everyday role maintenance, you often have to change the permission data of a single role again after you have already recorded the role in a transport order along with the generated permission profiles. In this case, you have previously had to create a new transport order because the table keys of the generated profiles and permissions are also recorded for each individual role record, but are not adjusted for subsequent changes in the role data.
In a redesign, we follow the principle of job-related workstation roles to technically map the job profile of the employees. To minimize the effort for the same job profiles with different organizational affiliations, the organizational units are inherited via an additional role. The separation of technical and organizational requirements greatly simplifies role development and modification. If certain people, such as team leaders, require extended authorizations, key user roles are developed for them, which extend the existing job role.
Perform Risk Analysis with the Critical Permissions Report
Applications use the ABAP statement AUTHORITY-CHECK in the source code of the program to check whether the user has the appropriate authorizations and whether these authorizations are defined appropriately, that is, whether the user administrator has assigned the values required by the programmer for the fields. In this way, you can also protect transactions that are indirectly accessed by other programs. AUTHORITY-CHECK searches the profiles specified in the user master record for authorizations for the authorization object specified in the AUTHORITY-CHECK statement. If one of the determined authorizations matches one of the specified values, the check was successful.
We advise you not to use the self-set password with a self-service as a generated password is more secure. The password is generated depending on the password rules; This is done by first evaluating the settings in the security policy assigned to the user. If no security policy has been assigned to the user, the system will consider the password rules in the profile parameters and in the customising table PRNG_CUST. In order for the associated security policy to be considered, you may need to include the correction provided with SAP Note 1890833. Remember that the BAPI_USER_CHANGE function block does not automatically unlock the user. In the event of a lock-out due to incorrect logins, you still have to unlock the user using the BAPI_USER_UNLOCK.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
The function block was obviously not intended for this use, but our procedure does not affect the programme process and we are not aware of any limitations resulting from this use.
You assign a reference user to a dialogue user by registering the reference user for additional rights in the SU01 transaction on the Roles tab in the Reference User field.