Maintain proposed values using trace evaluations
Authorization objects of the PFCG role
Giving permissions to specific functions that are called in SAP CRM through external services requires some preliminary work. Users working in SAP CRM use the SAP CRM Web Client to invoke CRM capabilities. For this to work smoothly, you must assign a CRM business role to the user, which provides all the CRM functionality necessary for the user. If the role should only allow access to certain external services, regardless of the customising (or only to the external services specified in the customising), it becomes a little trickier. All clickable elements in the SAP CRM Web Client, such as area start pages or logical links, are represented by CRM UI components. These UI components are, technically speaking, BSP applications. By clicking on such a component, the user gains access to certain CRM functions. These UI components are represented in the roles as external services. You must explicitly allow access to these UI components through PFCG roles, similar to the permissions for access to specific transactions.
TMSADM: The user TMSADM serves the communication between SAP systems in the transport management system and is automatically created in the client 000 when they are configured. TMSADM only has the permissions to access the common transport directory, view in the change and transport management system, and the necessary RFC permissions. Safeguard measures: Change the user's passwords in each client. There is the report TMS_UPDATE_PWD_OF_TMSADM, which you have to start in the client 000. This is only possible if you have administrator privileges on all systems in the landscape and the password rules of the systems are compatible. After the report has been successfully passed, all TMSADM users of the landscape in the client 000 and their destinations have the same new password.
Analyzing the quality of the authorization concept - Part 1
The specific SAP_NEW authorization object imprints are provided via the SAP_BASIS component. Therefore, an SAP_NEW profile is always bound to a specific base release. Proceed as follows: With the transaction SU02, you remove all old, individual profiles from the SAP_NEW composite profile, including the profile that belongs to the start release of your upgrade. Now assign the reduced SAP_NEW permission profile to all users in the upgrade preparation system, ensuring that all users can work as usual. This step can be omitted if you are following another method to identify missing permissions. Now check all permissions in all remaining profiles within the SAP_NEW summary profile that have a higher release level than the SAP_BASIS upgrade start release. Map all required permissions to all productive roles in your permission concept. You can do this for each intermediate release individually. The next step is to adjust the permissions in your productively used roles in the PFCG transaction, and then remove the corresponding permissions from the SAP_NEW profile using the SU02 transaction. Repeat steps 3 through 4 until the SAP_NEW permission profile is empty. Work in a development system during the role adjustment phase and transport the adjustments made to your eligibility roles to your quality assurance system. After successful acceptance test, you transport them to the production system. Now you can remove the SAP_NEW profile from all users. You can then proceed with role follow-up as part of the release change in the SU25 transaction (see also Tip 43, "Customise Permissions After an Upgrade").
Now switch to User Care and you will find that this PFCG role is not yet assigned to your user. To do this, you must first perform the user master synchronisation. You can perform this manually via the transaction PFUD or schedule it as a job. The background job PFCG_TIME_DEPENDENCY or the report RHAUTUPD_NEW is intended for this.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
It is therefore only a matter of time before SAP itself also delivers optimized support in the form of tools as standard.
To do this, run the report CRMD_UI_ROLE_PREPARE.