SAP systems: Control user authorizations with a concept
Perform Risk Analysis with the Critical Permissions Report
For the scenario of sending initials passwords, signing emails is not so relevant. Although it is possible to send an encrypted e-mail with a fake sender address, in this case the initial passwords in the system would not work. It looks different when you send business data; In such cases, verification of the sender via a digital signature is recommended. If you want to send e-mails digitally signed, we advise you to send them at the system's e-mail address. To do this, use the SEND_EMAIL_FOR_USER method described and place the sender's tag on the system. In this case, you need a public key pair for your ABAP system, which is stored as a Personal System Security Environment (PSE). For a detailed description of the configuration, including for verification and decryption of received emails, see the SAP Online Help at http://help.sap.com/saphelp_nw73ehp1/helpdata/en/d2/7c5672be474525b7aed5559524a282/frameset.htm and SAP Note 1637415.
Don't simplify your entitlement concept before you know all the requirements, but first ask yourself what you need to achieve. So first analyse the processes (if possible also technically) and then create a concept. Many of the authorisation concepts we found in customers were not suitable to meet the requirements. Some of these were "grown" permission concepts (i.e., requests were repeatedly added) or purchased permission concepts. Many of these concepts had in common that they had been oversimplified, not simply. A nice example is permission concepts that summarise all organisational levels in value roles or organisational roles. There are few examples, such as the role manager of the industry solution SAP for Defence and Security, in which the result of a value role concept is still useful and appropriate for the user. The assumption that you "sometimes" separate all the authorization objects that contain an organisational level is simple, but not useful. We have not found the simplification that only a user without permissions can definitely not have illegal permissions. However, there was always the case that users had far too many permissions and the system was therefore not compliant.
Implementing the authorization concept in the FIORI interface
In order to make a well-founded statement about the complexity and the associated effort, a fundamental system analysis is required in advance. The results obtained from this form an excellent basis for estimating the project scope and implementation timeframe.
Small companies would theoretically benefit from an authorization tool. However, in many cases the tools are too costly, so the cost-benefit ratio is usually not given.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
At the end there is a list of objects.
Correction is used to change the mixing mode for PFCG: On/Off/Roles.