Maintaining Authorization Objects (Transaction SU21)
Read the old state and match with the new data
See SAP Note 1763089 for information on the system requirements and support packages you need to access the new feature. With these support packages the transaction SAIS, the new AIS cockpit, is delivered. The AIS has thus been switched from the previous role concept to thematic audit structures and offers new functions, such as logging all audit activities. The AIS has existed in the SAP system for quite a long time; It is designed as a tool for testing and evaluating SAP systems and is delivered by SAP ERP to the standard. It includes the function of audit structures, a collection of audit functions on the areas of commercial audit and system audit, including their documentation. The commercial audit includes organisational overviews and balance sheet and process orientated functions. For example, this allows you to evaluate information about financial accounting and tax receipts. The AIS system audit covers general system audits and analysis of users and permissions. For example, it includes functionality to check profile parameters or transport.
With the transaction SUIM you can search under roles, roles with different search criteria. The variant "Roles by complex selection criteria" covers all possible selection criteria. However, you can also search only for a specific selection criterion (e.g. only for transactions, only for authorization objects...).
Existing permissions
If you now want to assign PFCG roles indirectly to users via the organisation management, you have to use evaluation methods. Evaluation paths define a chain of relationships between objects within a hierarchy. For example, they define how an organisational unit or a post can be assigned to another organisational unit. This relationship is set to the User ID. However, if the business partner has also been maintained in organisational management, there is no standard evaluation path for this case and the user assigned to the role is not found. However, since in SAP CRM the user IDs are not directly assigned to a post, but via the business partner, you have to make adjustments to the evaluation paths before you can assign the roles indirectly.
Reference users are not intended to access an SAP system, but are used for authorisation administration and therefore always have a disabled password. Reference users inherit the permissions assigned to them to the users with whom the reference user is registered. For this purpose, the user buffer of the reference user is also created at login and these entries are also checked during permission checks of the inheriting user.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
Regardless of whether you select the degree of simplification COARS = 1 or 2, you should not enter * or SAPDBPNP (programme name of logical database PNP) in the REPID field.
It is not uncommon for developers to issue an authorization error of the type "No authorization for..." from their programs, but they have not checked this with a standard authorization check at all, so that the error is not an actual authorization error.