Have you ever changed the default authorization values, causing the authorization field status to switch from “Standard” to “Changed”?
Did these changes lead to audit issues?
Are you frequently modifying SU24 check proposals to keep the object status as “Standard”?
If your answer is Yes for these questions, this article is the answer!
The problem statement:
As mentioned, the biggest problem with maintaining authorizations is BREAKING OF MAPPINGS between SU24 & PFCG. The authorization proposals suggested by SU24 by default may have to be modified by the Security administrators during the profile maintenance. For example:
S_USER_GRP is proposing ACTVT 01, 02, 03 by default, but during the role definition, the Security administrator is advised to maintain with only ACTVT 02, 03 due to business requirements.
When the ACTVT 01 is removed from the standard proposals, the status of the object will be set to “Changed” which is often not agreed by the auditors.
Further, this is not an industry recommended approach too.
SU24N – How different is it from SU24? Is this the answer?
SU24N is available with basis component (SAP_BASIS)754 and 755 (release) and in 2021, SAP merged it with SU24.
With SU24, only one set of proposals can be defined, which often leaves some of the fields open because they had to be maintained directly in the roles. With the latest development of SU24, which for a while was called SU24N, it is now possible to build various sets (called variants) of authorization proposals.
On the new APPLICATIONS tab in PFCG, the role administrator can define which variants of the menu t-code an individual needs based on the user roles & responsibilities.
To create a new variant, follow the steps detailed below:
- Go to transaction code SU24.
- Select Type of Application as Transaction.
- Enter SU01 and click Execute.
- In the SU24 Data screen, click Create Variant button.
- Enter a name for the Variant (for example Z_SU01_CH_LOCK_DSP), enter Short Text, and click Save.
Note: A workbench request will be created since we are making changes in SU24. Ensure to release this TR and move forward to Quality/Production systems as desired. - For the S_USER_GRP object, maintain the values that are needed (make necessary changes)
- Click Save.
Once the variant is created, you can see them in the Applications tab once the transaction code is added in the menu. Refer to the below screen shot:
Follow the steps mentioned below to use the variant in the role while maintaining the authorizations:
- Go to PFCG and open the role that has the SU01 T-code in ‘Menu’ tab.
- Navigate to the ‘Application’ tab and select the required variant which is created as per the business need.
- Go to the authorization Tab and you will be able to get the values maintained for the variant in the SU24 t-code.
You may notice that the status of the object still shows as “Standard”.
Additional Information:
- AGR_APPL_VARS– Role Vs Variants
- USOBCONTAINER– T-CODES Vs Variants