Transports
Authorization concept - recertification process
If you do not have authorization e.g. for a transaction and you get a message that you are missing authorization, you can use transaction SU53 to analyze the missing authorization. This transaction shows the last failed authorization check, including the authorization objects and authorization fields.
For even more extensive operations on jobs, there must be an authorization for object S_BTCH_ADM, in which the field BTCADMIN (identifier for the batch administrator) has the value 'Y'. This allows cross-client operations on any job. S_BTCH_ADM with value 'Y' thus also contains the objects S_BTCH_JOB action * and S_BTCH_NAM and S_BTCH_NA1 with user/program = *. Therefore, this is a very critical authorization because it allows an identity change. With the changes mentioned in note 1702113, the S_BTCH_ADM object can be used to restrict the authorization assignment more precisely.
WHY ACCESS CONTROL
First, consider the transport of your proposed permissions from various development systems to a consolidation system. When you save permission proposal values in transport orders, you will notice that generic entries are used instead of detailed BOMs. These generic entries mark all applications, for example, with TR*..
In addition, critical commands should be prohibited from the outset. Examples are EXEC SQL, which allows direct access to database tables bypassing certain security mechanisms, and CLIENT SPECIFIED, which allows access to data in other clients.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
They are used in technical operations that require a user, such as batch runs or RFC connections.
For a detailed description of the configuration, including for verification and decryption of received emails, see the SAP Online Help at http://help.sap.com/saphelp_nw73ehp1/helpdata/en/d2/7c5672be474525b7aed5559524a282/frameset.htm and SAP Note 1637415.