Roles and permissions in SAP SuccessFactors often grow organically and become confusing
User & Authorization Management with SIVIS as a Service
All external services for cross-navigation are stored in the role menu in the GENERIC_OP_LINKS folder. In addition to this information, this folder also contains external services that represent the already mentioned area start pages and logical links. You can delete the latter, as these are duplicates from the other folders or non-relevant external services. Now, to set up correct permissions for the non-manageable external services in the GENERIC_OP_LINKS folder, you can identify the external services you need for your CRM business role and delete all other external services. However, as I said, there is a risk that too many external services will be deleted and cross-navigation or calling the saved searches will no longer work. It is better to move the GENERIC_OP_LINKS folder to a separate role.
Historically grown authorization structures can be found especially in system landscapes that have been in operation for a long time. Instead of small, modular, job-specific roles, existing roles are continually expanded and assigned to different employees in different departments. While this leads to less administrative work in the short term, it causes the complexity of the role to increase massively over time. As a result, the efficiency of authorization development is increasingly lost.
Customizing
To make changes to the table logger, you must have the same permissions as the SE13 transaction to customise, so you must have the appropriate permissions for all tables to modify. The changes are always written to a transport order. The RDDPRCHK report allows you to enable table logging for multiple tables; however, it is not possible to disable logging on multiple tables. This is still only possible through the SE13 transaction.
This only takes into account the applications that are maintained in the role menus of the selected PFCG roles. If you have set the check for Only applications with changed SU22 data, only applications where the suggestion values have been changed by an import, e.g. by Support Packages or Enhancement Packages, will be used. Take the step to take the data from the SU22 transaction by selecting your applications. You will now get a list of applications that you need to match. Select the rows that the applications to match. The buttons in the menubar help you to adjust.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
The variants are the input in our script.
As already mentioned, these are mostly based on the SAP modules.