Controlling file access permissions
Advantages of authorization concepts
All external services for cross-navigation are stored in the role menu in the GENERIC_OP_LINKS folder. In addition to this information, this folder also contains external services that represent the already mentioned area start pages and logical links. You can delete the latter, as these are duplicates from the other folders or non-relevant external services. Now, to set up correct permissions for the non-manageable external services in the GENERIC_OP_LINKS folder, you can identify the external services you need for your CRM business role and delete all other external services. However, as I said, there is a risk that too many external services will be deleted and cross-navigation or calling the saved searches will no longer work. It is better to move the GENERIC_OP_LINKS folder to a separate role.
With the help of the transaction SU22, the software developers can deliver their application with the appropriate authorization objects. After the transfer of the data from the transaction SU22 to the tables from the transaction SU24, the role developer may further process the proposed values with the transactions SU24 or SU25 for use in the transaction PFCG. Please also refer to the SPA 1539556.
Lack of definition of an internal control system (ICS)
The permissions on database objects show you the details of the user's permissions to access the object. In the following example, the MODELING role includes permission to use the _SYS_BI object with the EXECUTE, SELECT, INSERT, UPDATE, and DELETE privileges. In addition, a user assigned this role is not allowed to pass these privileges on to other users (Grantable to Others). Our role as an example also includes Analytical Privileges and Package Privileges, which are not discussed here.
If an authorization system grows too much over the years and there is no structured approach, the result is uncontrolled growth. If companies wait too long with the cleanup, a complete rebuild of the authorization structure or a new concept may make sense. This must be clarified quickly in the event of a cleanup.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
Starting with the technical infrastructure of companies and extending to the business processes in SAP systems.
You must explicitly allow access to these UI components through PFCG roles, similar to the permissions for access to specific transactions.