Detect critical base permissions that should not be in application roles
Set up permissions to access specific CO-PA measures
You can now assign transactions to these roles. Experience has shown that roles should remain application-specific and that a distinction between book or investing, changing and reading roles is also useful. There will be regular transactions used in multiple roles. You should not overestimate the often demanded freedom of redundancy. However, for critical transactions or transactions that are involved in a functional separation conflict, it is recommended that they be kept in a separate role. In general, roles should not contain too many transactions; Smaller roles are easier to maintain and easier to derive. Also, assigning them does not quickly lead to the problem that users have too many permissions. If you keep the necessary functional separations in place, you have already prepared them as a takeaway.
The case that the user buffer is not up to date is very rare. The auth/new_buffering profile parameter sets the value 4 to immediately update the permissions, i.e. changes to the user root or roles or profiles, and write them to the USRBF2 database table without requiring a new login. This value is set by default. The fact that the buffer is not up-to-date is recognised by the fact that existing permissions that are not in the buffer are marked in the transaction SU56 with the note "In the root data but not in the user buffer".
Edit Old Stand
Secure management of access options in the SAP system is essential for any company. This makes it all the more important to analyze and improve the authorizations assigned. This step serves as optimal preparation for your S/4 HANA migration. Managed Services supports central and efficient administration to ensure an optimal overview. In order to sustainably improve your processes, a database provides information on possible optimizations for SAP licenses.
So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.
Certain permissions that are not relevant until a job step is run are checked at the time of scheduling for the specified step user. This checks whether the selected user is authorised to run the specified ABAP programme or external command. For programmes associated with a permission group, the S_PROGRAM object is checked. External commands test for the object S_LOG_COM.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
Excel-based tools typically do not know the release-specific suggestion values (they often work without the in-system suggestion value mechanism, because they do not use the PFCG transaction).
Upgrades also require that the eligibility roles be revised.