Detect critical base permissions that should not be in application roles
Dissatisfaction and unclear needs in the process
To read or modify data, a user must have both the privilege of performing a specific action and the privilege of accessing the object. The following privileges are distinguished in SAP HANA.
In 2020, there were 82,761 cases of computer fraud in Germany. Five years earlier, the number of cases was significantly lower - 23,562 cases - and have steadily increased from then on. The smaller the group of people with access, the smaller the risk of data falling into the wrong hands. Efficient and well thought-out authorization management plays a key role in minimizing risk and is a good way of protecting against unauthorized access, data misuse and industrial espionage. Without a coherent, well thought-out concept, the regulation of accesses and authorizations for the users or key users of an SAP system is a serious security vulnerability.
Criticality
You can also remove customer-specific organisational levels and convert them to a simple permission field. The report PFCG_ORGFIELD_DELETE serves for this purpose. It removes the permission field from the USORG table and changes the permission proposal values to that field. Finally, it goes through all the rolls that contain a shape to the field. However, it does not restore the old location of the field, because summarised values will no longer be separated when the field is elevated to the organisational level. Instead, the aggregated values are entered separately in each field. The PFCG_ORGFIELD_DELETE report also provides a value aid that shows only the customer's organisational levels. You can also use this value aid to determine all customer-specific organisational levels.
If you have defined the roles to the extent that the essential processes are depicted, then you will technically check which organisational features they contain (organisational levels, but also cost centres, organisational units, etc.). You then compare the technical result with the result from the consideration of the structure organisation and the business role description. A likely result is that you do not have to use all technical organisational features for differentiation. A possible result is that you want to add fields such as the cost centre to the organisation level.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
What sounds simple requires a few steps to be learned.
In the example, the single ledger entry for the vendor account 100000 was invoked.