Roles and permissions in SAP SuccessFactors often grow organically and become confusing
Add New Organisation Levels
The Three Lines of Defense model is used to systematically approach risks that may arise in companies. It integrates operational controls as well as risk management, information security, and internal auditing. It can be used to assess and classify the risks arising from SAP authorizations. The monitoring of risks is incorporated into the processes, so that there is constant control by various bodies. This reduces the risks considerably and ensures a clean authorization assignment.
First, the Web application developers must implement appropriate permission checks and make PFCG available for use in role maintenance in the transaction. This includes the maintenance of proposed values in the transaction SU22. The SAP Note 1413012 (new reusable startup authorisation check) provides all the necessary details.
Create order through role-based permissions
All external services for cross-navigation are stored in the role menu in the GENERIC_OP_LINKS folder. In addition to this information, this folder also contains external services that represent the already mentioned area start pages and logical links. You can delete the latter, as these are duplicates from the other folders or non-relevant external services. Now, to set up correct permissions for the non-manageable external services in the GENERIC_OP_LINKS folder, you can identify the external services you need for your CRM business role and delete all other external services. However, as I said, there is a risk that too many external services will be deleted and cross-navigation or calling the saved searches will no longer work. It is better to move the GENERIC_OP_LINKS folder to a separate role.
Each roll can be written to any number of transport orders. Information about existing records of the same role by other administrators does not take place.
Authorizations can also be assigned via "Shortcut for SAP systems".
Now the upgrade work can begin.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
This note ships with the RSAUDIT_SYSTEM_STATUS report.