Controlling file access permissions
Authorization tools - advantages and limitations
The background to the mass presence of authorization objects in a PFCG role after a role menu has been created is usually the mass of generic OP links that are not actually necessary for the CRMBusiness role. The existence of proposed values from the transaction SU24 loads the proposed authorisation values associated with the respective external services into the PFCG role, which results in too many unnecessary authorization objects being placed there. By excluding the GENERIC_OP_LINKS folder, you only need to take care of the external services and their authorization objects configured in the CRM business role in your PFCG role. For a user to have all the necessary permissions, you now assign the basic role with the permissions to the generic operating links and the actual role that describes the user's desktop.
The SAP CO module is the module for classic controlling in a company. Part (the responsible area) of it is the control and analysis of costs. This also includes the control of the cost types and the cost rates that are incurred and posted in the company. Controlling then usually reports directly to the company management. It is supported by the tools from the SAP CO module, which can provide comprehensive evaluations and analyses. SAP CO can be subdivided into several further subareas. These include, for example, CO-PC (Product Cost Accounting), CO-PA (Profitability Analysis) or PCA (Profit Center Accounting).
Reference User
You can use the previously created organisational matrix to either mass create new role derivations (role derivation) or mass update role derivations (derived role organisational values update). For both scenarios, there are separate Web-Dynpro applications, in which you must select the corresponding reference roles.
Transaction PFCG also offers you the option of automatically collecting permissions. Not every transaction entered into a single role via a role menu necessarily needs its own permission entry in the permission tree, because some transactions have identical or similar permission proposal values.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
The next step is to maintain the permission values.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
Open the transaction and go to Permissions > Other Users or F5 to the User Selection menu.