Roles and permissions in SAP SuccessFactors often grow organically and become confusing
Depending on the configuration of root data and processes, different permission checks can be relevant, so that it makes sense to adjust the proposed values. If custom applications have been created in the form of Z-transactions, Web-Dynpro applications, or external services, you must maintain suggestion values for these applications to avoid having manual permissions in the PFCG roles. You must ensure that custom applications are not always visible in the SU24 transaction. This is the case for TADIR services and external services. To learn how to make these services available for suggestion maintenance, see Tip 38, "Use the SU22 and SU24 transactions correctly.".
In the simulation overview you will now receive all the information you already know from the authorisation maintenance in the transaction PFCG. The results are presented in a table where each row corresponds to a value interval of a permission. The Object column specifies the authorization object. Use the Active/Inactive column to determine if the permission has been disabled. The Maintenance Status and Update Status columns provide information about the status of the permission and how the permission has been updated. In the Permissions Comparison column, you can find out what exactly changed on the permission, such as whether a permission has been deleted or added anew, or whether the field values in the permission have been updated. You can find information about the field values in the Value Comparison column, which shows whether values have remained the same, whether they have been added or deleted. The values that were actually deleted and added can be seen in the columns from Value to Value (see figure next page). Please note that this is only a simulation. You must still perform the actual mixing process in the permission maintenance. Because reel mixing is not only a factor in upgrade work, the transaction SUPC also provides the ability to call this simulation mode. In the overview of the selected rolls you will find the button Mix which simulates the mixing process.
In the transaction SU01, enter a non-existent user ID and click the Create button (F8). The BAdI BADI_IDENTITY_SU01_CREATE is called with the new user ID. Implementation in the BAdI is running. For example, here you can read additional attributes to the new user from an external data source. The data collected within the BAdIs is written into the fields of the transaction SU01. This will show you the new user master set with the pre-filled fields. You can edit the user master record, such as assign roles, or change the pre-populated fields.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
Authorizations are assigned to users in SAP systems in the form of roles. The goal is to create a system that is as secure as possible and to keep the complexity and number of roles as low as possible. This is the only way to achieve a balanced cost-benefit ratio.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
If you set the profile parameter dynamically, no users are logged out of the application server.
The system status and the SAP hints already implemented are taken into account.