Show TOC

 Reducing Authorization Checks in ApplicationsLocate this document in the navigation structure

You can display the authorization objects associated with each application. You can also exclude any of these authorization objects individually from the authorization check. You should have a thorough knowledge of this application and its context before you start.

To do this, proceed as follows:

  1. Start transaction SU24.
  2. On the Application tab page, select the type of application, and fill out the other fields displayed depending on your entry in this field.

    A result screen appears, with a table on the left that provides an overview of the applications that match your selection criteria.

  3. If you double-click one of the applications, a second table is displayed on the right. This table contains the assignment of authorization objects for the selected application. The check status of the objects is displayed here. For each object, the check status and the status of the authorization default values for the object are displayed.

    The check status of the object shows whether an authorization check takes place using the object in question, if this authorization check takes place within the selected application. The check status should always be check. Only set do not check in exceptional cases, if the selected application is a transaction and the authorization object is neither a Basis nor an HR authorization object. If you are not absolutely certain that do not check is correct for your transaction, leave the check indicator set to check.

  4. Set the check indicator to do not check with the Check Indicator button to suppress the check. See the note below regarding parameter transactions.
  5. Save your settings.
    Note

    The default values and the check indicator of an authorization object are important for the role administration tool. These values are only displayed for changing in the Profile Generator if you have set the check indicator to check with default Yes (previously: PP).

    If you have set authorization checks for your own applications, you need to enter the authorization objects which you have used into Transaction SU24 manually and also maintain the check indicators.

    Note

    For parameter and variant transactions, you cannot exclude authorization objects from a check directly, only using the authorization objects in the corresponding transaction.

If you want to set the check indicator of parameter Transaction XYZP to Do not check, you need to change the check indicator for the target Transaction XYZE. You can obtain the name of the actual transaction XYZE in transaction SE93. To do this, specify the name of the parameter transaction there and choose Display.

If the authorization object for parameter Transaction XYZP is set to P (check) but under the target transaction it is set to check with default Yes (previously: PP), the field values which have been maintained for XYZE will be proposed in the Profile Generator. If the authorization object is also set to check with default Yes  (previously: PP) in XYZP, the field values maintained for XYZP will be proposed in the Profile Generator, and the entries for XYZE will be overridden.

When using transaction SU24 for parameter transactions you can only maintain or overwrite the field values of the target transaction.