Roles and permissions in SAP SuccessFactors often grow organically and become confusing
Ensuring secure administration
Last but not least, a well-managed suggestion value maintenance helps you with upgrade work on suggestion values and PFCG roles. This ensures that your changes and connections to the respective PFCG roles are retained and new permissions checks for the new release are added to the applications.
Don't simplify your entitlement concept before you know all the requirements, but first ask yourself what you need to achieve. So first analyse the processes (if possible also technically) and then create a concept. Many of the authorisation concepts we found in customers were not suitable to meet the requirements. Some of these were "grown" permission concepts (i.e., requests were repeatedly added) or purchased permission concepts. Many of these concepts had in common that they had been oversimplified, not simply. A nice example is permission concepts that summarise all organisational levels in value roles or organisational roles. There are few examples, such as the role manager of the industry solution SAP for Defence and Security, in which the result of a value role concept is still useful and appropriate for the user. The assumption that you "sometimes" separate all the authorization objects that contain an organisational level is simple, but not useful. We have not found the simplification that only a user without permissions can definitely not have illegal permissions. However, there was always the case that users had far too many permissions and the system was therefore not compliant.
Make sense in maintaining proposal values
Reasons for incorrect organisational levels are values that have been manually maintained in the authorization object itself, instead of using the Origen button, as well as incorrect transports or incorrectly created or deleted organisational levels. Since correct inheritance can no longer occur in such cases, you need a way to reset incorrect values of the organisation levels in the PFCG roles.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
If you set the profile parameter dynamically, no users are logged out of the application server. You can prepare maintenance work in good time. The value 2 in the profile parameter does not prevent the login with the emergency user SAP*, if this is not set as user master record and the profile parameter login/no_automatic_user_sapstar is set to 0. You can also change the value of the parameter again at the operating system level. For details on the SAP user, see Tip 91, "Handling the default users and their initial passwords".
Authorizations can also be assigned via "Shortcut for SAP systems".
To ensure that the role remains understandable, the remaining characters should be used for a short description of the content as meaningful as possible.
Then click Evaluate.