Note the maintenance status of permissions in roles and their impact
User master data
If a transaction is removed from the role menu, the default permission is deleted when mixing. However, this only applies if no further transaction requires this permission and therefore uses the same permission proposal. This applies to both active and inactive default permissions.
Database Schema Privileges permissions: Schema Privileges are SQL object permissions that control access to and modification of a (database) schema, including the objects contained in that schema. A user who has an Object Privilege for a schema also has the same Object Privilege for all objects in that schema.
Challenges in authorization management
The S_RFCACL authorization object is removed from the SAP_ALL profile by inserting SAP Note 1416085. This notice is included in all newer support packages for the base component; This affects all systems down to base release 4.6C. The reason for this change is that the S_RFCACL authorization object, and especially the expression "total permission" (*), is classified as particularly critical for its fields RFC_SYSID, RFC_CLIENT and RFC_USER. These fields define from which systems and clients or for which user IDs applications should be allowed on the target system. Thus, the overall authorisation for these fields allows the login from any system and client or for any user and thus creates significant security risks.
Other project settings should be defined on the Scope, Project Views, Project Employees, Status Values, Keywords, Document Types, Transport Orders, and Cross Reference tabs. After all entries have been made, you must secure the project. Do not forget to generate the project. The SPRO transaction allows you to edit the newly created customising project. The first call does not display the newly created project. To view it, click the Record button in the Work Inventory ( ), select your project, and then confirm your selection. After you have successfully created, generated, or edited the project, you will perform the PFCG transaction to create a customising role for the project. Select a name for the role, and then click Create Single Role. Now open the Menu tab and follow the path: Tools > Customising Permissions > Add > Insert Customising Activities. Then choose between IMG Project and View of an IMG Project. All transaction codes are added from the IMG project to the Role menu. Note that this can be a very large number of transactions and can therefore take longer. You can then use the Permissions tab to express the authorization objects as usual. Back up and generate the role.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
For example, they can activate Succession & Development without affecting position management in Employee Central.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
Of course, topics such as updating internal and third-party tools, integrating cloud solutions, modern hybrid infrastructures, defining and operating ongoing dynamic changes, etc.