Module
Coordinate authorisation management in customer-owned programmes
The background to the mass presence of authorization objects in a PFCG role after a role menu has been created is usually the mass of generic OP links that are not actually necessary for the CRMBusiness role. The existence of proposed values from the transaction SU24 loads the proposed authorisation values associated with the respective external services into the PFCG role, which results in too many unnecessary authorization objects being placed there. By excluding the GENERIC_OP_LINKS folder, you only need to take care of the external services and their authorization objects configured in the CRM business role in your PFCG role. For a user to have all the necessary permissions, you now assign the basic role with the permissions to the generic operating links and the actual role that describes the user's desktop.
Although it is possible to create profiles manually, it is recommended to work with the profile generator. The Profile Generator allows you to automatically create profiles and assign them to user master records. The Profile Generator is used to simplify and speed up user administration and should always be used when setting up authorizations for your employees. The Profile Generator is also used to set up the user menus that appear when users log on to the SAP system.
Hash values of user passwords
Due to the complexity of an SAP® authorization concept, it is necessary that all essential aspects are set down in a written documented authorization concept. This should describe the essential processes, but also how to handle the assignment of authorizations via roles. In particular, the nomenclature of specially created roles must be clearly defined. It should therefore be checked whether all changes since the last audit have been documented in the written authorization concept. After all, this document serves the auditor as a template for the so-called target/actual comparison. This means that the auditor compares the document with the actual status in the SAP® system for the main topics relevant to the audit. Any discrepancy can lead to a finding that must be avoided.
Do you have considerable care effort due to additional roles that you cannot deduce? Create a new organisational level to solve your problems. In the SAP system, you can create derived roles for specific fields in authorization objects. This is possible only if these fields are organisation levels. Unfortunately, not all fields that you need as an organisation level are laid down in the standard as such, such as the cost centre. It may also be that you only use one sales organisation in your company and would therefore like to define the sales office. So there are several reasons why you want to define a field as an organisational level. We will explain how this works and what you need to consider.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
With the help of this report, you must then rearrange all the roles listed in the Status column: Orgebene in Role are indicated in red.
So if a unit is subdivided into further functional areas, all employees of the unit and the functional areas should have the same authorizations.