Authorization Analysis
Do not assign SAP_NEW
The high manual maintenance effort of derived roles during organisational changes bothers you? Use the variants presented in this tip for mass maintenance of role derivations. Especially in large companies, it often happens that a worldwide, integrated ERP system is used, for example, for accounting, distribution or purchasing. You will then have to limit access to the various departments, for example to the appropriate booking groups, sales organisations or purchasing organisations. In the permission environment, you can work with reference roles and role derivations in such cases. This reduces your administrative overhead for maintaining functional permissions and reduces the maintenance effort for role derivations to adapt the so-called organisational fields. However, maintaining the organisational fields can mean enormous manual work for you, as the number of role derivations can become very large. For example, if your company has 100 sales organisations and 20 sales roles, you already have 2,000 role outlets. Here we present possible approaches to reduce this manual effort.
For result and market segment accounting, you can define planning authorization objects, the information system, and item-based reports of the information system. In the customising (transaction SPRO), you create them via the following path and then select the corresponding section. Controlling > Income and market segment calculation > Tools > Permissions management > CO-PA specific eligibility objects.
Use SU22 and SU24 transactions correctly
Permissions are often not restricted because there is often no information about how the object should be shaped. The identification of the required functional components is often considered to be too burdensome and the risks from a lack of limitation are considered to be too low.
However, there is also the situation that eligibility fields are collected at organisational levels. If these permission fields have already been filled with values in the PFCG roles, you must refill these organisation levels after categorising the permission fields as organisation levels. The PFCG_ORGFIELD_ROLES report helps you to do this, which matches all the roles with the organisation level fields, i.e. with the permission fields maintained in the organisation level fields.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
To install this extension, you will need a kernel patch.
However, only profiles and no roles are loaded into the permission buffer.