How to analyze roles and authorizations in the SAP system
Architecture of authorization concepts
You can do without taking obsolete profile data into account by adding the correction from SAP Note 1819126 and then setting the REC_OBSOLETE_AUTHS customising switch to NO in the table PRGN_CUST. This correction is also important because it fixes runtime problems when releasing role transports, resulting from the correction in SAP Note 1614407. As a general rule, you should always run bulk transport sharing in the background.
A manual comparison of role texts in an SAP system landscape with ZBV is very annoying. You can also automate the sync. I'm sure you know this. When creating or maintaining users in the Central User Administration (ZBV), you must manually start the text matching each time before assigning PFCG roles to provide you with the latest PFCG role definitions. Managing a large system landscape with many systems in your ZBV - including development, test and production systems - the text comparison can take a while.
The SAP authorization concept
For the ABAP stack, authorization profiles can be created either manually or by using the profile generator. However, the use of the profile generator is strongly recommended, since manual administration usually results in misconfigurations of authorizations. The profile generator guarantees that users only receive the authorizations assigned by their role. Concepts, processes and workflows must therefore be adapted to the use of the profile generator. There is no choice for the Java stack; here the J2EE authorization mechanism must be used. The User Management Engine offers options that go beyond the J2EE standard.
The freeware Scribble Papers puts an end to the confusing paper chaos. The tool is also suitable for storing, structuring and quickly finding text documents and text snippets of all kinds in addition to notes.
If RFC function modules are called via RFC connections (for example, from an RFC client program or another system), an authorization check is performed on authorization object S_RFC in the called system. This check checks the name of the function group to which the function module belongs. If this check fails, the system also checks the authorizations for the name of the function module. Configure this check with the auth/rfc_authority_check parameter.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
Customising the organisational criteria is cross-client.
For this reason, you cannot maintain this table in systems that are locked against cross-client customising.