Use automatic synchronisation in central user management
Temporarily disable Central User Management
For the entries in the SPTH table, note that the application defines whether a file is accessed with or without the path. For example, the related transactions ST11 (error log files) and AL11 (SAP directories) behave differently. While ST11 opens almost all files without a path (they are in the DIR_HOME directory anyway), AL11 basically uses fully specified file names with a path. An entry in the SPTH table with PATH = / is therefore misleading. It specifies that the defined access restrictions apply to all files specified by path. However, this only applies to applications that access files using a specified path. However, applications that access files without a path are not restricted; Files in the DIR_HOME directory may be excluded.
First, create an overview of the customising tables currently available in your system. To do this, open the DD02L table and search for tables that start with Y, Z or your specific customer name space. Tables with delivery class C (such as customising, found in column A) are the relevant tables in this context. The descriptive texts to the tables can be found in the table DD02T.
Controlling file access permissions
If you have a Central User Administration (ZBV) in use, there are certain dependencies between the base release of your ZBV and the base release of the subsidiary systems. Check the compatibility of your systems before setting the login/password_downwards_ compatibility profile parameter. For details on the technical dependencies between releases, see SAP Note 1458262.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
Personally, I'm a big fan of the role-based authorizations in SAP SuccessFactors and I'm glad the system has such extensive capabilities. To review your need for action in this area, I advise you to ask yourself the following questions: Do you know which users get which SAP authorizations and why? Can you explain the concept to your data protection officer? Is it easy for you to introduce a new process because you know how the authorizations work? If you have to answer "no" here (several times), I recommend you to dedicate yourself to the topic. It will make their lives easier in the future. If you need help with this, feel free to contact us!
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
Users can activate or deactivate processes without affecting other processes.
The specific SAP_NEW authorization object imprints are provided via the SAP_BASIS component.