Use SAP_NEW correctly
Sometimes implementation consultants are also confronted with the situation that no authorization concept exists at all. This happens, for example, when changes in SAP SuccessFactors responsibilities occur on the customer side or different implementation partners were active in the past. However, a missing concept can lead to errors in the system. Users cannot perform certain actions, or worse, people see sensitive data that they should not see. This can, in the worst case, constitute a DSGVO violation and lead to a fine for the company.
We advise you not to use the self-set password with a self-service as a generated password is more secure. The password is generated depending on the password rules; This is done by first evaluating the settings in the security policy assigned to the user. If no security policy has been assigned to the user, the system will consider the password rules in the profile parameters and in the customising table PRNG_CUST. In order for the associated security policy to be considered, you may need to include the correction provided with SAP Note 1890833. Remember that the BAPI_USER_CHANGE function block does not automatically unlock the user. In the event of a lock-out due to incorrect logins, you still have to unlock the user using the BAPI_USER_UNLOCK.
SAP license optimization
For an overview of the active values of your security policy, click the Effective button. Note that not only the attributes you have changed are active, but also the suggestion values you have not changed.
Thanks to the new feature provided with the Support Package mentioned in SAP Note 1847663, it is possible to use trace data from the privilege trace in the SU24 transaction for suggestion value maintenance. The system trace that you can call through the ST01 transaction or the STAUTHTRACE transaction (see also Tip 31, "Optimise Trace Evaluation") is a short-term, client-dependent trace that you can restrict to users or applications.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
For each required transaction, you decide in detail which groups of people are allowed access.
All external services with their suggested values can be viewed or maintained in the transaction SU24.