THE "TOP SEVEN"
Default permissions already included
With the Enhancement Package (EHP) 3 to SAP ERP 6.0, SAP has provided an extension of the eligibility tests in the FIN_GL_CI_1 Business Function, which allows the eligibility objects for profit centres to be tested in FI. You must first enable the FIN_GL_CI_1 Business Function in the Switch Framework (transaction SFW5). After that, you can activate the new functionality in Customising via this path: Finance (new) > Basic Financial Settings (new) > Permissions > Enable Profit Centre Permissions Check.
No more users can be created, maintained or deleted without the assignment of a valid user group. If a user group is not assigned when a user is created, the user is automatically assigned the default user group. Before you set the USER_GRP_REQUIRED switch, a user group must have been assigned to each existing user and the administrators must have the permissions for the default user group. When creating a new user, the default user group will be used as pre-occupancy; this user group can be overridden by setting another user group in the S_USER_GRP_DEFAULT user parameter for each user administrator. The customising switch requires a valid user group, because it is used as the default user group. If a valid user group has not been entered in the customising switch, the user group is nevertheless a mandatory field. This will lead to errors in automated user creation.
Equal permissions
Which authorization data does a role have (PFCG)? Again, start the transaction PFCG and display a role. Then branch to the tab Authorizations and click on the button with the "glasses" (bottom left): Display authorization data.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
The specific SAP_NEW authorization object imprints are provided via the SAP_BASIS component. Therefore, an SAP_NEW profile is always bound to a specific base release. Proceed as follows: With the transaction SU02, you remove all old, individual profiles from the SAP_NEW composite profile, including the profile that belongs to the start release of your upgrade. Now assign the reduced SAP_NEW permission profile to all users in the upgrade preparation system, ensuring that all users can work as usual. This step can be omitted if you are following another method to identify missing permissions. Now check all permissions in all remaining profiles within the SAP_NEW summary profile that have a higher release level than the SAP_BASIS upgrade start release. Map all required permissions to all productive roles in your permission concept. You can do this for each intermediate release individually. The next step is to adjust the permissions in your productively used roles in the PFCG transaction, and then remove the corresponding permissions from the SAP_NEW profile using the SU02 transaction. Repeat steps 3 through 4 until the SAP_NEW permission profile is empty. Work in a development system during the role adjustment phase and transport the adjustments made to your eligibility roles to your quality assurance system. After successful acceptance test, you transport them to the production system. Now you can remove the SAP_NEW profile from all users. You can then proceed with role follow-up as part of the release change in the SU25 transaction (see also Tip 43, "Customise Permissions After an Upgrade").
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
Please follow the instructions in our Tip 49, "Add New Organisation Levels".
The freeware Scribble Papers is a "note box" in which all kinds of data can be stored. It takes in typed texts as well as graphics and entire documents. The data is then organised in folders and pages.
The RSUSR008_009_NEW report is delivered with the old SAI proposals for critical credentials already used in the RSUSR009 report.