Do not assign SAP_NEW
Permissions with status
All external services with their suggested values can be viewed or maintained in the transaction SU24. Access to external services or all CRM functions and data within CRM functions is realised via PFCG roles. To create these PFCG roles, you must first create a role menu. To do this, run the report CRMD_UI_ROLE_PREPARE. You can specify either the name of the CRM Business Role (User Role) or the name of the assigned PFCG role. It is also important that you specify the language in which the PFCG role will be maintained in the appropriate field.
Authorization objects are defined with the help of transaction SU21. Each SAP transaction is equipped with the required authorization objects in SU24, which control access to specific functions within the respective program. Standard programs / transactions of an ERP system are already equipped with these objects during the initial installation. The same applies to other platforms such as CRM or Solution Manager.
Use the authorisation route to identify proposed values for customer developments
When creating the PFCG individual roles in the respective SAP system, you should create the menu structure so that they can be combined with other individual roles in a single role. Once you have created the individual roles with the correct role menu, you can assign them to a collection role. Add the Role Menu to the Collect Roll using the Read Menu button. The menu can now be finally sorted. If changes to the roll menu are necessary, however, you must first make them in the individual rolls and then remix them in the roll roll (using the Mix button, see figure next page above). Transactions from other SAP systems such as SAP CRM, SAP SCM etc. can also be integrated into the NWBC. To do this, you first create the PFCG role for the relevant transactions in the target system. From the individual roles you can create collection roles with a defined menu structure.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
SOS reports can be very comprehensive. In particular, if the Whitelists are not yet maintained, reporting volumes of up to 200 pages are not uncommon. Do not be discouraged in such a case, but start by cleaning up a manageable amount of critical SOS results. You can then edit the further results in several rounds. The AGS recommends which critical SOS results you should consider first; You can find these in the AGS Security Services Master slide set in the SAP Service Marketplace Media Library.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
SAPCPIC: SAPCPIC is not a dialogue user, but is used for EDI usage in older releases (EDI = Electronic Data Interchange); in default, SAPCPIC has permissions for RFC access.
If this test is activated in an AS-ABAP installation (see also SAP Note 1413011), this will affect all clients.