List of required organisational levels and their value
Advantages of authorization concepts
Have you ever wondered who has critical permissions in your system? Have you lacked the tool and approach to identify these users? The user system in an SAP system is always connected to a permission assignment. Over the life cycle of a user in the SAPS system, more and more permissions are accumulated if they are not withdrawn once they are no longer needed. This accumulation is bound to result in users being able to perform more actions than you would like as the permission administrator. To avoid this, we want to give you a suitable tool.
Now switch to User Care and you will find that this PFCG role is not yet assigned to your user. To do this, you must first perform the user master synchronisation. You can perform this manually via the transaction PFUD or schedule it as a job. The background job PFCG_TIME_DEPENDENCY or the report RHAUTUPD_NEW is intended for this.
Use Central User Management change documents
Don't simplify your entitlement concept before you know all the requirements, but first ask yourself what you need to achieve. So first analyse the processes (if possible also technically) and then create a concept. Many of the authorisation concepts we found in customers were not suitable to meet the requirements. Some of these were "grown" permission concepts (i.e., requests were repeatedly added) or purchased permission concepts. Many of these concepts had in common that they had been oversimplified, not simply. A nice example is permission concepts that summarise all organisational levels in value roles or organisational roles. There are few examples, such as the role manager of the industry solution SAP for Defence and Security, in which the result of a value role concept is still useful and appropriate for the user. The assumption that you "sometimes" separate all the authorization objects that contain an organisational level is simple, but not useful. We have not found the simplification that only a user without permissions can definitely not have illegal permissions. However, there was always the case that users had far too many permissions and the system was therefore not compliant.
Different organisational fields are used in each module. Since there are many interfaces between the modules, the main organisational fields of the modules must be linked. However, there are also organisational fields that are only relevant for the respective module. All object fields used as organisational units are listed in the USORG table. You can call this table through the SE16 transaction. Alternatively, in the selection screen of the AGR_1252 table, the value help of the VARBL field also shows the corresponding name for the respective organisation fields.
Authorizations can also be assigned via "Shortcut for SAP systems".
Giving permissions to specific functions that are called in SAP CRM through external services requires some preliminary work.
However, it is crucial to justify this in a comprehensible manner.