Use automatic synchronisation in central user management
Authorizations
When creating the permission concept, a naming convention is defined for PFCG roles. Every customer has his own preferences or specifications, which must be adhered to. According to our project experience, some naming conventions are particularly attractive. Naming conventions for PFCG roles can be very diverse. You will have noticed that even the roles provided by SAP do not correspond to a uniform naming convention. So there are roles whose names start with SAP_. There are also roles, such as for the SRM system, that start with the /SAPSRM/ namespace. In this tip we would like to give you some hints and criteria that you can use to help define a naming convention of PFCG roles.
Certain permissions that are not relevant until a job step is run are checked at the time of scheduling for the specified step user. This checks whether the selected user is authorised to run the specified ABAP programme or external command. For programmes associated with a permission group, the S_PROGRAM object is checked. External commands test for the object S_LOG_COM.
Use Custom Permissions
Every SAP system (ERP) must be migrated to SAP S/4HANA® in the next few years. This technical migration should definitely be audited by an internal or external auditor.
Manual addition of authorization objects to roles is sometimes necessary. However, the start authorizations for actions should be generated into the role exclusively via the role menu. For the following evaluations the table AGR_1251 is used, in which to the roles the authorization objects with their values are stored.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
As the rolls pass, the value ranges for the field in question are searched within a role.
You can also graphically evaluate these changes via an end-to-end analysis in SAP BW; contains information on the number of changes per system, the type of changes and the modification date.