Module
Basics SAP Authorizations including Fiori - Online Training
Your system landscape does not correspond to a typical three-system landscape? Find out what you should consider when upgrading the suggested values of roles. Your system landscape may differ from the typical three-system landscapes, for example, because you have several development systems or development mandates. Transports are then used to merge all developments and customising entries into one consolidation system. Perform your upgrade work in the SU25 transaction and use Step 3 to transport your SU24 data. By contrast, perform this step in all development systems, run all transports together in your consolidation system, and only the last import of the tables is used. The same entries are also recognised as deleted entries. The same is true with your PFCG rolls. Maintain these in multiple development systems or mandates, and if you now want to transport the rolls with their generated profiles, there is a risk that the profile numbers will be the same, as the profile names consist of the first and third characters of the system ID and a six-digit number. If the profiles originate from the same system (even if the client is a different one), import errors may occur due to the same profile names. In addition, the origin of the profile can no longer be traced afterwards. Therefore, you need a way to transport the data for the permission proposal values and the PFCG rolls in Y landscapes in a transparent and consistent way.
This only takes into account the applications that are maintained in the role menus of the selected PFCG roles. If you have set the check for Only applications with changed SU22 data, only applications where the suggestion values have been changed by an import, e.g. by Support Packages or Enhancement Packages, will be used. Take the step to take the data from the SU22 transaction by selecting your applications. You will now get a list of applications that you need to match. Select the rows that the applications to match. The buttons in the menubar help you to adjust.
Organisational allocation
In the course of a comprehensive protection of your system from the inside as well as from the outside it is indispensable to have a closer look especially at the SAP standard users. They have far-reaching authorizations that can cause great damage to your system if misused. It should be noted that they are very important for the operational execution of your SAP system and must not be deleted. However, since the associated standard passwords can be quickly researched, they must be changed immediately after delivery of the SAP ERP. You can perform a detailed check of these users using report RSUSRS003. It is also recommended to set certain default users inactive until they are actually used.
Then run step 2c. Here too, there are new features. You will be shown a selection of the roles to match again. However, you have the possibility to perform a simulation of the mixing process via the button Mix. This allows you to see which permissions would be changed in the roles without actually doing so. For more information, see Tip 44, "Compare Role Upgrade Permissions".
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
Reasons for incorrect organisational levels are values that have been manually maintained in the authorization object itself, instead of using the Origen button, as well as incorrect transports or incorrectly created or deleted organisational levels.
However, these should be documented in a comprehensible manner so that an external auditor, such as the auditor's IT auditor, can check the plausibility.