Use Custom Permissions
Permissions with Maintenance Status Used
The handling of organisational levels in PFCG roles wants to be learned. If these are maintained manually, problems arise when deriving rolls. We will show you how to correct the fields in question. Manually maintained organisational levels (orgons) in PFCG roles cannot be maintained via the Origen button. These organisational levels prevent the inheritance concept from being implemented correctly. You can see that organisational levels have been maintained manually when you enter values via the Ormits button, but the changes are not applied to the authorization object.
Are you sure that your compliance is always ensured when using your SAP system? Would you like to make SAP authorization assignment clearer and reduce the manual workload? Our SAP add-on apm creates simplified processes and thus more transparency in your existing SAP authorization management. Reduce administrative effort and ensure clarity in your compliance solution.
System Security
The Permissions check continues again if the table in question is a client-independent table. This is done by checking the S_TABU_CLI authorization object, which decides on maintenance permissions for client-independent tables. For example, the T000 table is a table that is independent of the client and would be validated. To enable a user to maintain this table by using the SM30 transaction, you must maintain the S_TABU_CLI authorization object, in addition to the table permission group or specific table, as follows: CLIIDMAINT: X.
In the area of group consolidation, an authorization concept ensures that no data can be deliberately manipulated, for example to change balance sheets. This can prevent significant financial or reputational damage to banks and stakeholders. Furthermore, access to financial data of subdivisions of a group, such as individual business units or companies, must be restricted to those employees who are allowed to access it because their current activities require it. As a result, a controller of a business unit, for example, can only view the consolidated figures of his business unit, but not the figures of the entire group. Further authorization roles are required, for example, for external auditors. These auditors check all the figures for the entire group, but may only have read access to this data.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
This note provides information on recommended revisions for certain SAP base versions and recommendations for additional guidance, which are listed in the Annexe.
The first two problems can be solved by inserting the correction from SAP Note 1614407.