Check for permissions on the old user group when assigning a new user group to a user
Set password parameters and valid password characters
This advanced functionality of the transaction SU53 is delivered via a patch. Please refer to SAP Note 1671117 for more information on the required support packages and technical background. Unsuccessful permission checks are now written to a ring buffer of the application server's Shared Memories. This will allow you to view failed permission checks in Web Dynpro applications or other user interfaces, which was not previously possible. Depending on the size of the ring buffer and system usage, up to 100 failed permissions checks per user can be displayed for the last three hours. The size of the ring buffer is calculated from the number of defined work processes. By default, 100 permission checks can be saved per workprocess. You can adjust this size using the auth/su53_buffer_entries profile parameter.
Add SAP Note 1433352 to your system. This note ships with the RSAUDIT_SYSTEM_STATUS report. This report documents the current status of the Client and System Modification Settings in an overview, which you can also print out for evaluation if required. The advantage of this report is that pure display permissions are necessary to execute it.
Correct settings of the essential parameters
The system checks direct access to the contents of tables, for example, with transactions SE16, SM30, or SE16N with authorization checks on a table authorization group, object S_TABU_DIS. If there are no suitable authorizations for the table authorization group, the system checks the name of the table or view, object S_TABU_NAM. When making changes to client-independent tables, the system also checks the authorizations for object S_TABU_CLI. If you have configured line-based authorization checks in Customizing, the system also checks authorization object S_TABU_LIN. Assign tables or views to a table authorization group using transaction SE11 or SE54. You can also define table authorization groups using transaction SE54. If your customer development implements direct access to a table, use the VIEW_AUTHORITY_CHECK function module to perform the authorization check. For more information about generic access to tables, see SAP Note 1434284 Information Published on SAP Site and the online documentation for the authorization objects mentioned above.
Changes in customizing and various security-relevant changes, such as the maintenance of RFC interfaces, can be viewed via table change logs. This authorization should only be given to an emergency user.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
SAP Basis is the foundation of any SAP system. You can find a lot of useful information about it on this page: www.sap-corner.de.
You can't keep an eye on everything.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
Alternatively, you can compare to an actual system; For example, this is a useful function in the context of a roll-out.