Error analysis for authorizations (part 1)
For an authorization concept, a clear goal must be defined that is to be achieved with the help of the concept. This should list which regulatory requirements the respective system and the associated authorization concept must take into account. In this way, the legal framework is defined, which is a legal necessity for successful implementation.
However, it is possible to include the same role in several tasks of different operators within each contract. This increases transparency for you, because all participants can instantly identify which users are editing the role. Before you enable the use of the SCC4 transaction setting for role maintenance, you should release existing role transports to avoid recording conflicts. As a rule, you do not choose the setting depending on your role-care processes; So you have to think very carefully about what the activation will do.
Each UI component that can be clicked corresponds to an external service that must each have permission set up. UI components also include creating or calling stored searches or navigating from one record directly to another record, such as calling an appointment directly from a business partner; This corresponds to cross-navigation. All navigation options in the form of external services are defined in the customising of the CRM business role in the form of a generic outbound plug mapping to the navigation bar. Outbound Plugs (OP) define what happens when a user leaves a view in SAP CRM. Here the customising is set for scenarios that do not necessarily fit all CRM business roles. The corresponding CRM business roles have been configured to be associated with outbound plugs that are not required for the respective CRM business role scenario. This explains the large number of external services in the role menu.
Do you have considerable care effort due to additional roles that you cannot deduce? Create a new organisational level to solve your problems. In the SAP system, you can create derived roles for specific fields in authorization objects. This is possible only if these fields are organisation levels. Unfortunately, not all fields that you need as an organisation level are laid down in the standard as such, such as the cost centre. It may also be that you only use one sales organisation in your company and would therefore like to define the sales office. So there are several reasons why you want to define a field as an organisational level. We will explain how this works and what you need to consider.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
Special caution is taken when you enter generated permission profiles directly on the Profiles tab, as these assignments will be deleted by matching user assignments with the transaction PFUD if no entry is on the Roles tab for the assignment.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
Furthermore, these values can be used as a basis for risk definitions.