Assignment of roles
How to analyze roles and authorizations in the SAP system
First, create an overview of the customising tables currently available in your system. To do this, open the DD02L table and search for tables that start with Y, Z or your specific customer name space. Tables with delivery class C (such as customising, found in column A) are the relevant tables in this context. The descriptive texts to the tables can be found in the table DD02T.
It is important that after the AUTHORITY-CHECK OBJECT command is called, the return code in SY-SUBRC is checked. This must be set to 0; only then a jump is allowed.
Reset Manually Maintained Organisation Levels to Roles
If a transaction is removed from the role menu, the default permission is deleted when mixing. However, this only applies if no further transaction requires this permission and therefore uses the same permission proposal. This applies to both active and inactive default permissions.
Organisation levels ensure more efficient maintenance of the eligibility roles. You maintain them once in the transaction PFCG via the button Origen. The values for each entry in this field are entered in the permissions of the role. This means that you can only enter the same values for the organisation level field within a role. If you change the values of the individual fields in the authorization objects independently of the overarching care, you will receive a warning message that you will no longer be able to change this field by clicking the Ormits button and that this individual value will be overwritten when you adjust derived roles. Therefore, we strongly advise you not to carry out individual maintenance of the organisation level fields. If you adhere to this advice, as described above, there can always be only one value range for an organisation level field. For example, the combination of displaying all posting circuits and changing a single posting circle within a role cannot be implemented. Of course, this has implications if you want to upgrade a field to the organisation level. A field that has not previously served as an organisational level can include such entries with different values within a role. You must clean up these entries before you declare a field as an organisation level. In addition, the definition of a field as an organisational level also affects the proposed permissions values of the profile generator.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
For the fixes and an overview of the required support packages, see SAP Notes 1411741 and 1465495.
You will be aware that you do not necessarily have to move in the Customer Name Room when assigning names of PFCG roles and therefore have a lot of freedom.