Evaluation of the authorization check SU53
Implementing the authorization concept in the FIORI interface
The maintenance status of permissions in PFCG roles plays an important role in using the Role Menu. The Maintenance Status allows you to determine how the authorization object entered the role and how it was maintained there. The blending function of role maintenance credentials in the PFCG transaction is a powerful tool that helps you with role processing. If the Roll menu has been changed, the Mix feature will automatically add the permissions suggestions that are included in a single role. This is based on the proposed authorisation values defined in the transaction SU24, whose maintenance status is standard in the authorisation maintenance. These permission values are also called default permissions. Permissions with different maintenance status, i.e. Care for, Modified or Manual, are not changed during mixing - the exception is removing transactions.
In many SAP environments, there are historically grown authorization structures that cause unnecessary security gaps. These should be examined closely.
Critical authorizations
Any deviation from the defined process must be fully documented and justified. This is because it is precisely deviations from the standard case that are of great interest to an auditor, as the auditor must determine whether a deviation could have an impact on the correctness of the data.
HR authorizations are a very critical issue in many companies. On the one hand, HR administrators should be able to perform their tasks - on the other hand, the protection of employees' personal data must be ensured. Any error in the authorization system falls within the remit of a company's data protection officer.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
In role maintenance (transaction PFCG), not only the role menu of a single role is maintained, but also the authorization objects and authorization field values can be maintained in the Authorizations tab.
This is required if you have entered a different table permission group when maintaining the table permission groups, for example, for the T000 table.