Dissatisfaction and unclear needs in the process
Authorization concepts - advantages and architecture
If you do not have authorization e.g. for a transaction and you get a message that you are missing authorization, you can use transaction SU53 to analyze the missing authorization. This transaction shows the last failed authorization check, including the authorization objects and authorization fields.
Now the structure must be filled "with life". To do this, you must first create meaningful subfolders in the customer's own structure. As already mentioned, these are mostly based on the SAP modules. Make sure that you also set your customising for additional add-ons, so that later the work of support organisations is easier. Call the transaction SOBJ. There, you create customising objects that will later be reused in your IMG structure. It is useful to name the object exactly as the corresponding table. This simplifies the later maintenance in the IMG structure. Here you also decide whether and how the tables can possibly be maintained in the productive system. To do this, select the appropriate entries in the Category and Transport fields and check the Current setting option. Repeat this for all custom customising tables that are still needed.
Authorization concept - user administration process
Step 2d (Show Modified Transaction Codes) lists all roles that have been found to use an old transaction code. Sometimes, new transaction codes replace old transaction codes. In this step you have the option to exchange the transaction codes. Once you have completed the upgrade of the Eligibility proposal values, you will be given the option in Step 3 (Transport of the Customer Tables). Transport your permissions suggestions in your system landscape.
The system checks direct access to the contents of tables, for example, with transactions SE16, SM30, or SE16N with authorization checks on a table authorization group, object S_TABU_DIS. If there are no suitable authorizations for the table authorization group, the system checks the name of the table or view, object S_TABU_NAM. When making changes to client-independent tables, the system also checks the authorizations for object S_TABU_CLI. If you have configured line-based authorization checks in Customizing, the system also checks authorization object S_TABU_LIN. Assign tables or views to a table authorization group using transaction SE11 or SE54. You can also define table authorization groups using transaction SE54. If your customer development implements direct access to a table, use the VIEW_AUTHORITY_CHECK function module to perform the authorization check. For more information about generic access to tables, see SAP Note 1434284 Information Published on SAP Site and the online documentation for the authorization objects mentioned above.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
You can also maintain and manage the solutions yourself afterwards, or you can trust us to run them for you: We call this Customer Success.
This PFCG role could contain all the basic permissions a user must have in SAP CRM.