Solution approaches for efficient authorizations
Evaluate Permission Traces across Application Servers
If it is clear that a cleanup is necessary, the first step should be a detailed analysis of the situation and a check of the security situation. Based on these checks, a redesign of the authorizations can be tackled.
To access business objects or execute SAP transactions, a user needs appropriate authorizations, since business objects or transactions are protected by authorization objects with multiple authorization fields. Authorizations represent instances of generic authorization objects and are defined depending on the employee's activity and responsibilities. The authorizations are combined in an authorization profile (Generated profile), which is assigned to a role. User administrators then assign the appropriate roles (single role or composite role) via the user master record so that the user can use the appropriate transactions for his or her tasks.
Copy values from the Clipboard to the transaction's PFCG permission fields
In compliance with the minimum principle and the separation of functions, the roles used must be defined, along with specifications for their naming, structure and use. Close attention should also be paid to the application and allocation process in order to prevent authorization conflicts, which arise primarily as a result of employees' changing or expanding areas of responsibility.
The S_START boot authorisation check is delivered inactively by SAP. If this test is activated in an AS-ABAP installation (see also SAP Note 1413011), this will affect all clients. Therefore, before you activate, it must be ensured that all affected users in the permission profiles associated with them have the necessary values in the S_START permission fields.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
Double-clicking on this service will tell you that no suggestion values have been maintained there.
Because it is possible to assign roles and permissions to a user first, and then assign a user group that does not have permission to assign roles and profiles.