Use system recommendations to introduce security
Check and refresh the permission buffer
Many tools that offer to simplify care operations of the transaction PFCG work Excel-based. The complete roll data is stored and processed in Excel. Then the Excel file is uploaded with a special programme and generates roles and role changes. While this all looks very comfortable (and probably is at first), it has its drawbacks in the long run.
A user reports that he or she is receiving a permission error even though you have granted him or her the required permissions. This could be due to a faulty buffering of the permission data. Although a user has been assigned a role with the correct permission data, this user is presented with a permission error due to missing permissions. This may be surprising at first glance, but it can almost always be fixed by a short analysis.
Customising User and Permissions Management
Then run step 2c. Here too, there are new features. You will be shown a selection of the roles to match again. However, you have the possibility to perform a simulation of the mixing process via the button Mix. This allows you to see which permissions would be changed in the roles without actually doing so. For more information, see Tip 44, "Compare Role Upgrade Permissions".
Various activities, such as changes to content or the assignment of roles, are made traceable via change documents. This authorization should only be assigned to an emergency user.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
However, we would like to point out that the granting of permissions for these tools in the production environment is considered to be critical to security, since it is very easy to allow access to large amounts of sensitive data in the case of erroneous or excessive permissions.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
In this case, you need a public key pair for your ABAP system, which is stored as a Personal System Security Environment (PSE).