Efficient SAP rollout through central, tool-supported management
Maintain authorization objects more easily
Once you have edited the role menu, you can customise the actual permissions in the PFCG role. To do this, click the Permissions tab. Depending on the quantity of external services from the Role menu, the authorization objects will appear. The authorization objects are loaded into the PFCG role, depending on their suggestion values, which must be maintained for each external service in the USOBT_C and USOBX_C tables. You can edit these suggested values in the SU24 transaction. Make sure that external services in the Customer Name Room also have the names of external services and their suggestion values in the tables maintained (see Tip 41, "Add external services from SAP CRM to the proposal values"). Visibility and access to external services is guaranteed by the UIU_COMP authorization object. This authorization object consists of three permission fields: COMP_NAME (name of a component), COMP_WIN (component window name), COMP_PLUG (inbound plug).
Unlike the EWA, the SOS is able to list users that require extensive permissions. So you can maintain a whitelist. We recommend that you deal with the results of the SOS as follows: Verify that all identified users require critical permission. Complete the users who need this permission in the whitelist. Remove this permission from other users.
Use AGS Security Services
Another option is to not assign the SAP_NEW permission to a user. For example, during the tests to be performed, both the development system and the quality assurance system will experience permission errors. These should then be evaluated accordingly and included in the appropriate eligibility roles for the correct handling of the transactions.
So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.
We recommend that you implement all safety instructions of priority very high (1) and high (2) directly. On the other hand, you can implement medium (3) and low (4) security advisories via support packages, which you should also include regularly. If you are unable to insert a support package at the moment, SAP will also provide you with the priority 3 and 4 security advisories. For the evaluation of the security advisories, you should define a monthly security patch process.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
Alternatively, you can compare to an actual system; For example, this is a useful function in the context of a roll-out.
However, maintaining the organisational fields can mean enormous manual work for you, as the number of role derivations can become very large.