Authorization tools - advantages and limitations
Use application search in transaction SAIS_SEARCH_APPL
If your user is assigned the privilege ROLE ADMIN (either directly or through a role), you can create your own roles and assign them to users. You can do this by drawing on existing privileges and roles. The privileges themselves are provided by developers with appropriate permissions to create applications, including the privileges they require. Often, as the permission administrator, you do not have the privilege to create privileges. This is also useful because only the application developer can decide what properties the privileges of using the objects in the application should have. The application developer also decides whether his application provides appropriate roles in addition to privileges.
Roles can be assigned to users directly through user management in the SU01 transaction, role maintenance in the PFCG transaction, or mass change of users in the SU10 transaction. However, if the employee changes his or her position in the company, the old roles must be removed and new roles assigned according to the new activities. Because PFCG roles are created to represent job descriptions, you can use organisational management to assign roles to users based on the post, job, etc.
Important components in the authorization concept
Customising roles are temporary because of their project nature. Therefore, when assigning users, maintain the end date. You cannot also map transactions manually if you created a role directly from a project or project view. Conversely, you cannot use an existing transaction role in the menu as a customising role. The transactions associated with a customising role are not displayed in the Session Manager or the SAP Easy Access menu, but can only be viewed through the view in the customising.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
In compliance with the minimum principle and the separation of functions, the roles used must be defined, along with specifications for their naming, structure and use. Close attention should also be paid to the application and allocation process in order to prevent authorization conflicts, which arise primarily as a result of employees' changing or expanding areas of responsibility.
Authorizations can also be assigned via "Shortcut for SAP systems".
This means that the individual processing steps of the job are technically carried out by the stored user with his or her authorizations.
Often, those responsible in the company do not want to make a correction because it causes costs and work.