Use SAP_NEW correctly
Use the authorisation route to identify proposed values for customer developments
You can limit the recording to a specific user. You can also use the trace to search only for permission errors. The evaluation is similar to the evaluation of the system trace in the transaction ST01. In transaction STAUTHTRACE, however, you can also evaluate for specific authorization objects or for specific permission check return codes (i.e. after positive or negative permission checks). You can also filter multiple entries.
The SAP standard allows you to evaluate the statistical usage data via a standard function block. The call is made through the transaction SE37. Select here the function block SWNC_GET_WORKLOAD_STATISTIC. The function block is used to write the usage statistics to a temporary table, from which you can extract the data for further use.
Displaying sensitive data
Permissions are often not restricted because there is often no information about how the object should be shaped. The identification of the required functional components is often considered to be too burdensome and the risks from a lack of limitation are considered to be too low.
Trace after missing permissions: Run the System Trace for Permissions (ST01 or STAUTHTRACE transaction) to record permission checks that you want to include in the role (see Tip 31, "Optimise Trace Evaluation"). Applications are logged through the Launch Permissions checks.
Authorizations can also be assigned via "Shortcut for SAP systems".
Now you can use the organisational criterion in your PFCG role.
You can create them in accordance with your audit requirements.