Critical authorizations
A concept for SAP authorizations prevents system errors and DSGVO violations
The generic entries cause deletions in the target system if the same entries originate from both development systems. To prevent this, insert SAP Note 1429716. Then use the report SU24_TRANSPORT_TABLES to transport your SU24 data. This report creates a detailed transport BOM based on the application names. Since the report has significantly higher maturities than step 3 of the transaction SU25, we advise you to apply this report only in a Y-landscape.
You have an organizational structure that includes 4 hierarchical levels - authority, department, unit, functional area). The authorization concept in your organization states that access (processing) to Records Management objects should be allowed for an employee only within his/her own organizational unit. However, the authorization check should only take place on three levels. So if a unit is subdivided into further functional areas, all employees of the unit and the functional areas should have the same authorizations. Since department 2 and department 3 work very closely together, employees of department 2 should be able to read all files, transactions and documents of department 3 and vice versa.
Grant permission for external services from SAP CRM
In many SAP environments, there are historically grown authorization structures that cause unnecessary security gaps. These should be examined closely.
An overview of the actual relevant information for your system landscape can be obtained from the application System recommendations in the Change Management section of the SAP Solution Manager (transaction SOLMAN_WORKCENTER or SM_WORKCENTER). This application will provide you with a recommendation for the SAP and non-SAP hints to be implemented for the evaluated systems.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
You can create up to 1,000 custom permissions checks in the Check ID namespace 9000 to 9999.
It should also be noted that the permission concepts used can be circumvented by ABAP code, which underlines the weight of security vulnerabilities in the ABAP code.