Maintain derived roles
Calling RFC function modules
Ensure that permission checks are performed when reference users are assigned. The checks are performed on the permissions associated with the roles and profiles assigned to the reference user. These eligibility tests are also a novelty, which is supplemented by SAP Note 513694.
Optional: S_PATH authorization object: If the test identifies 3 additional permissions checks for individual paths for the S_PATH authorization object, these are checked in the fourth step. The access type and the permission group stored in the SPTH table are checked.
Default permissions already included
First, the Web application developers must implement appropriate permission checks and make PFCG available for use in role maintenance in the transaction. This includes the maintenance of proposed values in the transaction SU22. The SAP Note 1413012 (new reusable startup authorisation check) provides all the necessary details.
Suggested values are maintained in the transaction SU24 and delivered through the transaction SU22. Read more about the differences between these two transactions. Maintaining suggestion values via the SU24 transaction is useful if you want to reflect your own requirements or if the values provided by SAP do not meet customer requirements (see Tip 37, "Making sense in maintaining suggestion values"). These proposed values form the basis for the role maintenance credentials in the PFCG transaction. As you know, the suggested values provided by SAP are in the transaction SU22, which are delivered during reinstallation or upgrades as well as in support packages or SAP hints. What is the difference between transactions and how are they used correctly?
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
If you want to get more information about SAP basis, visit the website www.sap-corner.de.
You can use the Check ID to map user lists to the permission checks.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
SAP's proposed permissions for the S_DATASET authorization object do not provide much help, and S_PATH has virtually no information, because you must activate this authorization object only by customising the SPTH table.