Question:
Why should we avoid auth object to status from turning into Manually and/or changed?
Can someone please give specific reasons. What kind of of problems would you face during upgrade with objects in manually or changed status
Answer:
You may want to search in this forum on this topic as it has been covered several times... But briefly,
"Changed" status, means you changed a SAP delivered value from SU24 in your role. From this point on SAP will NEVER touch this authorizaiton. So if you delete a tcode from the role associated with the "Changed" authorization, this authorization will hang arround continuing to give access when you thought it was removed. (Note: SAP does not care how you get to the business process only that you are authorized). Furhter it may cause SAP to continue to bring in "New" authorization when you use "read old and Merge new" when editing your roles ( something you should do on every entry into the role) or when you add a tcode to the role.
"Manual" are ok to be in the role IF you have a STANDARD or MAINTIANED to support it. With a few exceptions ( S_PROGRAM) you should configure SU24 to be the most restrictive and then add access with manual authorizations. Tcode SU01 is a good example if you have distributed maintenance of IDs. It should be set to read only or password rest only in SU24 so it accommodates the help desk and all the other access added to the other roles with manual authorizations for Security admin. The reason to have a STANDARD or MAINTIANED "support" the existance of the Manual is to determine very quickly if the Manual should be in the role. If you removed the tcode that brought the STANDARD or MAINTIANED in and all that is left is a Manual the Manual should be removed since SAP does not care how you get to the business process only that you are authorized.
_________________
John A. Jarboe