Data ownership concept
SAP FICO Authorizations
If you set the profile parameter dynamically, no users are logged out of the application server. You can prepare maintenance work in good time. The value 2 in the profile parameter does not prevent the login with the emergency user SAP*, if this is not set as user master record and the profile parameter login/no_automatic_user_sapstar is set to 0. You can also change the value of the parameter again at the operating system level. For details on the SAP user, see Tip 91, "Handling the default users and their initial passwords".
Customising the organisational criteria is cross-client. Activation of the organisational criteria depends on the client. If you want to use these permissions in different clients, you must activate the respective organisational criteria for the respective client. Now you can use the organisational criterion in your PFCG role. To do this, enter the S_TABU_LIN authorization object with the organisational criterion you created. Assign the respective attributes with the organisational values for which the user should be entitled. Along with the individual values, you can specify intervals for your organisational criterion so that you can assign permissions to users for multiple organisational values.
User Management
By inserting SAP Note 1723881, you resolve the third of these problems by banning the recording of the same role on different transport orders. To enable this change in system behaviour, you must set the CLIENT_SET_FOR_ROLES customising switch to YES in the PRGN_CUST table. This toggles the setting in the SCC4 transaction for changing and recording custom customising objects ("Client modifiability") for role maintenance.
In a local table, find an entry for the user ID that you are creating in the SU01 transaction. For example, such a local table might be an Active Directory replication or a mini personnel master set, or you may have another data source that you replicate to your SAP system. Then, fill in the fields of transaction SU01 with the data from the local table.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
On www.sap-corner.de you will also find useful information about SAP basis.
This authorization object is used in the same way as the S_TCODE authorization object.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
This is preferable to a black list for security reasons.