Kontakt

Ansicht
Dokumentation

BOOKSU22_PFLEGE_1 - BOOKSU22 PFLEGE 1

BOOKSU22_PFLEGE_1 - BOOKSU22 PFLEGE 1

ROGBILLS - Synchronize billing plans   Vendor Master (General Section)  
This documentation is copyright by SAP AG.
SAP E-Book

Working with Transaction SU22

Use

As a developer, you can use transaction SU22 to assign the authorization objects for an application and to edit the authorization default values of the authorization objects. Customers' authorization administrators can use transaction SU25 to transfer the authorization objects and their default values and transaction SU24 to adjust them. The profile generator (role administration tool, transaction PFCG) uses this data adjusted by the customer when creating role authorizations. In PFCG, the customer's role administrator can further edit the authorization values, for example, by specifying a company code.

Procedure

  1. In transaction SU22, specify the applications for which you want to edit the authorization object assignments, and choose Execute.
  2. To display the assignment of authorization objects to an application, select the application by double-clicking it.
  3. On the Properties tab page, you can assign a mode to your application in the Maintenance Mode field.
  4. On the Authorization Objects tab page, edit the default value status of the objects as required. To change a default status, select the line and choose the Default button. More information: Rules for Setting the Authorization Default Status.
The default status determines whether an authorization is included in a role for the authorization object when an application is assigned to a role. This field is empty for authorization objects that the authorization trace has newly assigned to your application, and the traffic light status is red.
  1. To display authorization objects with the default status Yes, double-click the Yes field. More information: General Notes on Assigning Authorization Default Values.
  2. To manually assign an authorization object with the status Check and an authorization default value to your application, select the line and choose the Object button, and then Object -> Add Authorization Object.
  3. To remove the assignment of a manually-added authorization object, select the line, and then choose the Object button, and then Object -> Remove Authorization Object.
Note: It is not meaningful to remove authorization objects that have been automatically assigned by the authorization trace, since the system will always reassign these objects.

Additional Functions

The maintenance status of the applications themselves has a traffic light indicator. If it is yellow (warnings), you can display the warning messages. To do this, select the line of the application and, on the Authorization Objects tab, choose Check.

Inheritance of Authorization Default Values from Parameter Transactions

If the transaction whose object list you have selected is a parameter transaction, an additional status text is displayed to the right of the traffic light icon of the maintenance status. This tells you whether the inheritance of authorization default values from the core transaction is active or inactive. If you double-click this text, an additional session opens with the object list of the core transaction.
The difference between active and inactive inheritance is as follows:

Inheritance active
The merge function of the profile generator takes into account objects with the indicator "Default: Yes" from both the parameter transaction itself and from the core transaction.

Inheritance inactive
The merge function of the profile generator takes into account objects with the indicator "Default: Yes" from the parameter transaction only.

Inheritance is active in the default setting. To switch between the two settings, use the pushbutton on the far right in the toolbar above the object list in change mode. To apply the changed setting, you have to save. Only then does the new status text appear.

Note

You can also control the authorization check for transactions with check indicators. For technical reasons, this is only possible for transactions, and for this reason, the check indicators are also only shown for transactions.

  • Check Indicator Check: Default check indicator; change it only in exceptional cases.
  • Check Indicator Do Not Check: Set the check indicator Do Not Check for a particular authorization object of a transaction. It means that the authorization check for this object is deactivated for this transaction and is therefore always successful. This means that the ABAP statement AUTHORITY-CHECK always returns sy-subrc=0, so that the authorization check has no effect. The check therefore does not determine whether the user has a suitable authorization.
Therefore set this value only in exceptional cases. It is never permissible for Basis and HR authorization objects.
If a transaction cannot be used without a specific authorization, it is usually wrong to assign the check indicator Do Not Check for this authorization object. Instead, leave the check indicator set to Check, set the authorization default status to Yes, and assign appropriate authorization default values. In this way, the users receive a suitable authorization if the administrator adds the transaction to a role. If you cannot specify any meaningful authorization default values, set the authorization default status Yes, Without Values.






CL_GUI_FRONTEND_SERVICES - Frontend Services   General Material Data  
This documentation is copyright by SAP AG.

Length: 6664 Date: 20240607 Time: 125757     sap01-206 ( 154 ms )