Permissions with status
Advantages of authorization concepts
SAP delivers authorization objects for Records and Case Management, which you can use to control access to records, cases, documents, and incoming mail items for individual organizational units in your organizational plan in conjunction with corresponding Customizing settings. SAP delivers predefined roles that contain clearly defined authorizations for the respective task areas of the employees. Among other things, these roles also contain the authorization objects for Records Management and Case Management. You can use the roles as a template for your own roles and adapt them to your requirements.
Using these authorizations, any source code can be executed independently of the actual developer authorizations and thus any action can be performed in the system. This authorization should only be assigned to an emergency user.
Grant permission for external services from SAP CRM
Before you start and define critical permissions, you should identify your core business processes or functions and then map the conflicting processes in meaningful combinations as so-called risk. The RSUSR008_009_NEW report cannot replace a GRC system (GRC = Governance, Risk, and Compliance) with the SAP Access Control component. Rather, this report should be understood and used as an indicator of the current system state. The report identifies the users that have the critical permission combinations defined in the USKRIA table. The identifier, which can also be called a risk ID, describes a combination of authorization objects with field names and field values. These are linked to one of the two operatives AND or OR available.
As a second way to automate the mass maintenance of role pipelines, we mentioned the use of business role management. Various solutions are offered on the market that offer this functionality in the same or similar form. Some of these solutions do not use the derivation concept; This has the advantage that the organisational matrix is not limited to organisational fields. However, the major deviation from the standard functionalities of the PFCG role is detrimental to this variant.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
If you are using Expert mode, make sure that the Alten Stand default is read and match with new data.
In addition, roles may also have expired due to the specification of a validity period.