What to do when the auditor comes - Part 1: Processes and documentation
Module
For the transport of PFCG roles with their profiles there is also an SAP notice: Note 1380203. If you enter the correction, it is possible to use separate positions for the third and fourth digits of the generated profile name for the definition. In the SAP standard, the name of a generated profile is composed as follows, for example, if the System ID is ADG: T-AG#####. If your other source systems differ only in the second place of the system ID, the profile name does not indicate from which system the profiles originate.
Access options and authorizations are defined and controlled in the SAP authorization concept. How secure business data is in SAP depends largely on the assignment of authorizations and access options for a company's users.
Maintain transaction start permissions on call CALL TRANSACTION
Each pass of the profile generator collects all the permission suggestions from the SU24 transaction to a transaction added through the role menu of the single role and checks the permissions to be added to the permission list. The following effect is to add transactions to a role when the added transaction is announced through the role menu of the role and various criteria are met.
You can also remove customer-specific organisational levels and convert them to a simple permission field. The report PFCG_ORGFIELD_DELETE serves for this purpose. It removes the permission field from the USORG table and changes the permission proposal values to that field. Finally, it goes through all the rolls that contain a shape to the field. However, it does not restore the old location of the field, because summarised values will no longer be separated when the field is elevated to the organisational level. Instead, the aggregated values are entered separately in each field. The PFCG_ORGFIELD_DELETE report also provides a value aid that shows only the customer's organisational levels. You can also use this value aid to determine all customer-specific organisational levels.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
The user can export this overview at any time.
Finally, you can run your report variant with critical permissions.