Law-critical authorizations
Advantages of authorization tools
Finally, we would like to draw your attention to SAP Note 1781328, which provides the report PFCG_ORGFIELD_ROLES_UPD. This report enables a mass update of existing role derivations. However, you do not use the concept of the organisational matrix, but you have to store the new organisational values directly when the report is called. Therefore, this function requires a high degree of understanding for the adjustments that are running in the background and is therefore only available as a pilot note. This means that this message must be explicitly requested via a customer message and only then will SAP support release it for you if necessary. It is not currently planned to make the information generally available via a support package.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
Once you have defined your criteria for executing the report, you can create different variants for the report and schedule corresponding jobs to automatically lock down or invalidate the inactive users. If you want to start the report in a system that is connected to a Central User Management, you should consider the following points: You can only set local user locks. You can set the validity period only if the maintenance is set to Local in the settings of the Central User Management (this setting is set in the SCUM transaction).
View system modifiability settings
You can now assign transactions to these roles. Experience has shown that roles should remain application-specific and that a distinction between book or investing, changing and reading roles is also useful. There will be regular transactions used in multiple roles. You should not overestimate the often demanded freedom of redundancy. However, for critical transactions or transactions that are involved in a functional separation conflict, it is recommended that they be kept in a separate role. In general, roles should not contain too many transactions; Smaller roles are easier to maintain and easier to derive. Also, assigning them does not quickly lead to the problem that users have too many permissions. If you keep the necessary functional separations in place, you have already prepared them as a takeaway.
With apm Suite, you can put together your individual GRC/SOX-compliant solution for SAP authorizations as needed. This is helpful, for example, to optimally manage SAP roles, for the determination of critical rights, the SAP user application, the auditing of emergency users or the password self service. With apm Suite you will never lose track of your compliance in SAP authorization management.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
To have these ERP transactions available in SAP SCM, create a new PFCGE role in SAP SCM, e.g. ZS:XXXX:ERP_MENU.
To do this, complete the appropriate SET_* methods of the IF_IDENTITY interface.