Use the authorisation route to identify proposed values for customer developments
Maintain generated profile names in complex system landscapes
Before you start and define critical permissions, you should identify your core business processes or functions and then map the conflicting processes in meaningful combinations as so-called risk. The RSUSR008_009_NEW report cannot replace a GRC system (GRC = Governance, Risk, and Compliance) with the SAP Access Control component. Rather, this report should be understood and used as an indicator of the current system state. The report identifies the users that have the critical permission combinations defined in the USKRIA table. The identifier, which can also be called a risk ID, describes a combination of authorization objects with field names and field values. These are linked to one of the two operatives AND or OR available.
The role menu of the PFCG role now consists of folders that represent all logical links within a scope start page, and external services that represent the logical links and the area start pages themselves. This means that any external service listed in the Role Menu is eligible for a Area Start Page or Logical Link. If such an external service is removed from the role menu and the PFCG role is generated, the user of this PFCG role does not have permissions to view this external service (see screenshot next page). You will find duplicate, maybe even triple, entries from external services. These are mainly found in the folders of the homepage and under GENERIC_OP_LINKS. You can delete them without any concern, because an external service for a permission must appear only once in the Role menu. For a better overview, it is also useful to rename the external services or folders as they are shown in the SAP CRM Web Client.
THE "TOP SEVEN"
Employees should only be able to access data relevant to their work, country or accounting area in tables? Set up organisational criteria to ensure this. Do you want users to be able to read or maintain specific tables, but only have access to the table contents that are relevant to them? The S_TABU_DIS and S_TABU_NAM permissions objects allow you to access the tables, but if you want a user to see or maintain only parts of the table, these authorization objects will reach their limits.
Versions are the change documents within the development environment, for example, for changes to ABAP source code or the technical properties of tables. This authorization should only be assigned to an emergency user.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
Now the upgrade work can begin.
Whether it's recertification of SAP users, vacation requests or birthday wishes: all these things can now be processed and managed centrally in one place.