Dissatisfaction and unclear needs in the process
The SAP authorization concept
Permissions profiles are transported in the standard (since release 4.6C) with the roles. If you do not want to do this, you have to stop the data export in the source system by the control entry PROFILE_TRANSPORT = NO. The profiles must then be created by mass generation before the user logs are matched in the target system. This can be done via transaction SUPC.
The IF_IDENTITY interface of the CL_IDENTITY class provides various methods for maintaining the fields of the user master record. As a template for the implementation of the BAdIs, you can use the CL_EXM_IM_IDENTITY_SU01_CREATE implementation example, which automatically populates the SU01 transaction's surname, space number, phone, email address, user group, billing number, and cost centre fields. This example implementation does not provide an external data source; the user name is set as the last name and fixed values are used for the other fields. At this point, you must complete the implementation, depending on your requirements. There are several possible data sources for the user master data that you can access from the BAdI.
Authorizations
The Enable Transport Recording button allows you to save the changes in the roles on a transport order. For information on the validity of the PFCG_ORGFIELD_ROLES report, see SAP Note 1624104.
In the transaction SU01, enter a non-existent user ID and click the Create button (F8). The BAdI BADI_IDENTITY_SU01_CREATE is called with the new user ID. Implementation in the BAdI is running. For example, here you can read additional attributes to the new user from an external data source. The data collected within the BAdIs is written into the fields of the transaction SU01. This will show you the new user master set with the pre-filled fields. You can edit the user master record, such as assign roles, or change the pre-populated fields.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
In any case, you should ensure that these inactive users are either blocked or invalidated.
The same applies to other platforms such as CRM or Solution Manager.