When you activate the Profile Generator, you permit specified authorization checks to be deactivated. The Profile Generator is active in the standard system (the system profile parameter auth/no_check_in_some_cases is set).
This setting has the following effect:
· When a transaction is called, the system always checks to see whether the authorization checks contained within it are to be suppressed.
· The authorization Profile Generator is activated. The system displays Authorizations on the initial screen for Transaction PFCG (Role Maintenance).
Perform the following steps in the Implementation Guide (IMG):
1. Copy SAP default settings for check indicators and authorization field values
Using Transaction SU25 (step 1), copy the default values delivered by SAP. This is how you import the SAP check indicator default values for the authorization objects within a transaction, and the authorization field values for the Profile Generator into the customer tables (tables USOBX_C and USOBT_C). You can edit these in Transaction SU24.
You can change both configurations to meet your requirements.
To import an upgrade, follow steps 2a to 2d.
It may take a few minutes to copy the SAP defaults into the customer tables.
See the documentation in Transaction SU25.
2. Schedule Background Job for Time Limits
You can set a time limit on the assignment of users to roles. To ensure that these changes are reflected in the user master record during the profile assignment, you need to schedule a background job to make the relevant adjustments daily.
For more information, see Comparing user master record profiles with roles.
To maintain the default check indicator settings, use transaction SU24 (see the following topics). To do this, you require the authorization ABAP Workbench (S_DEVELOP) with the following field values:
· ACTVT: 03 (Display) or 02 (Change)
· DEVCLASS: any
¡ SUSK (Assign transaction ® authorization object in customer systems)
¡ SUSK (Assign transaction ® authorization object in SAP systems)
· OBJNAME: Name of the transaction to be edited
· P_GROUP: any
You can edit the authorization proposals in the Profile generator.