Reducing the Scope of Authorization Checks 

When SAP transactions are executed, a large number of Authorization Objects are often checked, since the transaction calls other work areas in the background. In order for these checks to be executed successfully, the user in question must have the appropriate authorizations. This results in some users having more authorizations than they strictly need. It also leads to an increased maintenance workload.

For an authorization check to be executed, it must be included in the source code of a transaction and must not be explicitly exempt from the check.

You can suppress authorization checks without changing the program code, as check indicators control authorization checks.

You also use check indicators to control which objects appear in the Profile Generator and which field values are displayed there for editing before the authorization profiles are generated automatically.

SAP supplies defaults for check indicator and authorization field values, which you should copy. You can then edit these copied defaults. You should only do this once you have defined your company's authorization concept.

You can reduce authorization checks within a transaction or exclude an authorization object globally from the check.

For more information, see:

Preparatory Steps

Globally Deactivating Authorization Checks

Reducing Authorization Checks in Transactions

Editing Templates for General Authorizations

Comparing Check Indicators and Field Values After a Release Upgrade

 

Authorization objects from the Basis (S_*) and Human Resource Management applications (P_*, PLOG) cannot be excluded from authorization checks. The field values for these objects are always checked.

You cannot exclude authorization objects used in parameter transactions from a check directly, only using the corresponding target transaction.