Immediate authorization check - SU53
Authorization roles (transaction PFCG)
As an SAP SuccessFactors implementation partner, we are often confronted with complex authorization constellations. For sure: If a consulting company does not implement a process first and the "framework" is missing as a result, the existing SAP authorizations must be analyzed retrospectively and the underlying concept must be understood. Only then can the new process be meaningfully inserted into the authorization concept.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
The freeware Scribble Papers puts an end to the confusing paper chaos. The tool is also suitable for storing, structuring and quickly finding text documents and text snippets of all kinds in addition to notes.
Excel-based tools typically do not know the release-specific suggestion values (they often work without the in-system suggestion value mechanism, because they do not use the PFCG transaction). This also means that it is not possible to upgrade rolls with standard SAP tools, such as the SU25 transaction. This also increases the dependency on the external tool, and the authorisation system is further removed from the SAP standard and the best practices recommended by SAP in role management.
Permissions with Maintenance Status Changed or Manual
There are several ways to view the implementation of permission checks: Either you jump directly from the system trace for permissions to the appropriate locations in the programme code, or you go over the definition of the authorization objects. To view the permission checks from the permissions system trace, start the trace from the STAUTHTRACE transaction and run the applications you want to view. Now open the evaluation of the Trace. In the Programme Name column, you can see the programme that includes the Permissions Check. Double-click to go directly to the code site where the permission check is implemented.
If your user is assigned the privilege ROLE ADMIN (either directly or through a role), you can create your own roles and assign them to users. You can do this by drawing on existing privileges and roles. The privileges themselves are provided by developers with appropriate permissions to create applications, including the privileges they require. Often, as the permission administrator, you do not have the privilege to create privileges. This is also useful because only the application developer can decide what properties the privileges of using the objects in the application should have. The application developer also decides whether his application provides appropriate roles in addition to privileges.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
The report also shows which roles are assigned to which users and whether there are duplicates, for example of groups or authorizations.
At this point, however, you do not specify which reference roles should be derived for these organisational values.