Authorization objects
Implementing CRM Role Concept for External Services
This also implies that the change documents must be kept in Excel. The Excel file must not be lost or damaged.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
Entry into role maintenance requires the transport permission (S_USER_AGR, ACTVT = 02) in addition to the modification permission (S_USER_AGR, ACTVT = 21). If role recording requires creating new transport jobs or tasks, you need permissions to the transport objects (e.g. S_TRANSPRT with TTYPE = CUST or TASK and ACTVT = 02).
Authorization check
When creating the permission concept, a naming convention is defined for PFCG roles. Every customer has his own preferences or specifications, which must be adhered to. According to our project experience, some naming conventions are particularly attractive. Naming conventions for PFCG roles can be very diverse. You will have noticed that even the roles provided by SAP do not correspond to a uniform naming convention. So there are roles whose names start with SAP_. There are also roles, such as for the SRM system, that start with the /SAPSRM/ namespace. In this tip we would like to give you some hints and criteria that you can use to help define a naming convention of PFCG roles.
An alternative to using the S_TABU_LIN authorization object is to create custom table views that make organisational delimitation easier to achieve. To do this, create a new view in the SE11 transaction and add the table to which the constraint will apply on the Tables/Join Conditions tab. The Selection Conditions tab allows you to specify your restrictive organisational condition in the form of a field and a field value. You then authorise all relevant users to access the view, which contains only data for your organisational restriction.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
Describe which employee groups, which organisational units use which applications and define the scope of use.
Note that not only the attributes you have changed are active, but also the suggestion values you have not changed.