Risk: historically grown authorizations
Conclusion and outlook
You can use your own authorization objects to develop permission checks to authorise your custom applications or extend default permissions. So far, the maintenance of the authorization objects has been very unmanageable. Authorization objects can be displayed and recreated in the transaction SU21. Creating authorization objects over this transaction has not been very user-friendly. If the input was not done correctly, the dialogue was sometimes not transparent and confusing for the user. The same was true for storing a authorization object. Several pop-up windows indicate further care activities. Another problem is that the proof of use of the authorization object is limited to finding implementations of the authorization object. However, authorization objects are also used in other places, such as suggestion value maintenance and permission maintenance. Another problem is the use of namespaces. For SAPartner who want to maintain their permission checks in their namespaces, the classic name rooms, starting with J, are used up.
Giving permissions to specific functions that are called in SAP CRM through external services requires some preliminary work. Users working in SAP CRM use the SAP CRM Web Client to invoke CRM capabilities. For this to work smoothly, you must assign a CRM business role to the user, which provides all the CRM functionality necessary for the user. If the role should only allow access to certain external services, regardless of the customising (or only to the external services specified in the customising), it becomes a little trickier. All clickable elements in the SAP CRM Web Client, such as area start pages or logical links, are represented by CRM UI components. These UI components are, technically speaking, BSP applications. By clicking on such a component, the user gains access to certain CRM functions. These UI components are represented in the roles as external services. You must explicitly allow access to these UI components through PFCG roles, similar to the permissions for access to specific transactions.
Use SU22 and SU24 transactions correctly
By default, the transactions from the role menu can be found here as derived authorization values. Over the value assistance (F4) can be called partially the available functions fields to these field.
In order to make a well-founded statement about the complexity and the associated effort, a fundamental system analysis is required in advance. The results obtained from this form an excellent basis for estimating the project scope and implementation timeframe.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
Care is carried out in the transaction SU24.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
System performance also suffers as the amount of data increases.