Set up permission to access Web Dynpro applications using S_START
Retain the values of the permission trace to the role menu
A prerequisite for the indirect assignment of PFCG roles is a well-maintained organisational model. This may correspond to a line organisation consisting of organisational units to which posts are assigned. Use an organisation chart to visualise the employee structure of the company or department for which you are to assign roles. Assign to the posts the people to whom a user is assigned as an attribute. In addition, you can also include other objects from HR organisation management, such as the posts describing the post and assigning roles.
Over the course of time, many companies experience profound changes in the framework conditions that significantly influence SAP® authorization management. Not uncommon are subsequent requirements from the area of compliance (SOX or similar) or the increased need for protection.
Define security policy for users
To define table permissions in the PFCG transaction, it is not necessarily sufficient to specify the generic table display tools, such as the SE16 or SM30 transactions, in the role menu. The proposed values for these transactions are very general and only provide for the use of the S_TABU_DIS or S_TABU_CLI authorization objects. Explicit values must be entered depending on the tables that you have selected for permission. To explicitly grant access to the tables through the S_TABU_NAM authorization object, you can create a parameter transaction for each table access. For example, a parameter transaction allows you to call tables through the SE16 transaction without having to specify the table name in the selection screen because it is skipped. You can then maintain suggestion values for the parameter transaction you created.
You can set up a nightly background job to match the certificates with your customer's own programme. This requires that the certificates can be obtained through an SAP programme.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
Classification varies for the different eligibility tests.
The User Management Engine offers options that go beyond the J2EE standard.