Rebuilding the authorization concept
Include customising tables in the IMG
The maintenance status of permissions in PFCG roles plays an important role in using the Role Menu. The Maintenance Status allows you to determine how the authorization object entered the role and how it was maintained there. The blending function of role maintenance credentials in the PFCG transaction is a powerful tool that helps you with role processing. If the Roll menu has been changed, the Mix feature will automatically add the permissions suggestions that are included in a single role. This is based on the proposed authorisation values defined in the transaction SU24, whose maintenance status is standard in the authorisation maintenance. These permission values are also called default permissions. Permissions with different maintenance status, i.e. Care for, Modified or Manual, are not changed during mixing - the exception is removing transactions.
SAP authorizations are a security-critical and thus an immensely important topic in companies. They are used not only to control the access options of users in the SAP system, but also the external and internal security of company data depends directly on the authorizations set.
List of required organisational levels and their value
After successful implementation of your permission check, the new authorization object for your application must be maintained in transaction SU24. If your solution is distributed in other system landscapes, the authorisation proposals in the transaction SU22 are maintained. In addition, with the permission proposal value maintenance, you can make sure that the new authorization object is not forgotten in a role system, because it is now loaded automatically into the PFCG role when the application is called up via the role menu. In the final step, the permission administrator can create the PFCG role or must remix the existing PFCG roles.
However, if a company does not have a concept for introducing new SAP authorizations and these are always coupled with new roles, the roles and authorizations will continue to grow. New modules, new processes and new user groups very quickly lead to many authorization groups, numerous authorization roles and complex documentation - even assuming the ideal case that companies have used Excel, for example, for all previous implementations and enhancements and have kept the documentation up to date. What is the purpose of a role? Which user has which authorization? Due to the amount of roles and authorizations, it quickly becomes confusing for users. System performance also suffers as the amount of data increases.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
At least one separate file is created for each day.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
From this change of behaviour of the SAP_ALL profile, it follows that all automatic methods for taking over the overall authorisation are no longer available in the fields of the S_RFCACL authorization object.