Redesign of SAP® Authorizations
Create permissions for customising
By inserting SAP Note 1723881, you resolve the third of these problems by banning the recording of the same role on different transport orders. To enable this change in system behaviour, you must set the CLIENT_SET_FOR_ROLES customising switch to YES in the PRGN_CUST table. This toggles the setting in the SCC4 transaction for changing and recording custom customising objects ("Client modifiability") for role maintenance.
The SAP HANA Studio application is available for maintaining and assigning HANA permissions to users. The SAP HANA Studio is installed on your workstation. You can then log in to one or more HANA databases with the user and password. The SAP HANA Studio and HANADatenbank are currently subject to extensive further developments; Therefore, the respective versions of the SAP HANA studio must be compatible with the HANA databases to be connected. For this reason, we recommend that you check the information about the use of certain versions of SAP HANA Studio in the SAP Notes.
Personally, I'm a big fan of the role-based authorizations in SAP SuccessFactors and I'm glad the system has such extensive capabilities. To review your need for action in this area, I advise you to ask yourself the following questions: Do you know which users get which SAP authorizations and why? Can you explain the concept to your data protection officer? Is it easy for you to introduce a new process because you know how the authorizations work? If you have to answer "no" here (several times), I recommend you to dedicate yourself to the topic. It will make their lives easier in the future. If you need help with this, feel free to contact us!
Unlike the EWA, the SOS is able to list users that require extensive permissions. So you can maintain a whitelist. We recommend that you deal with the results of the SOS as follows: Verify that all identified users require critical permission. Complete the users who need this permission in the whitelist. Remove this permission from other users.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
Business objects to which companies refer authorizations are defined in the system as authorization objects.
Another option is to not assign the SAP_NEW permission to a user.