Use SAP_NEW correctly
Existing permissions
You have already created roles for SAP CRM and would like to add additional external services? Nothing easier than that! Create PFCG roles for the SAP CRM Web Client, typically so that you complete the customising of the CRM business role before creating the PFCG role, based on this customising. However, the customising of the CRM business role may be updated. The PFCG role must now also be adjusted, otherwise the newly configured area start pages or the logical links will not be visible. However, there is no automatism for this, as it exists during the initial creation of the role menu. You must apply the adjustment manually in the PFCG role.
Which applications have similar or identical features? Use application search to find out. Suppose you want to allow access to certain data for specific users or revisors. An auditor can usually view the contents of defined tables; However, in order not to give the auditor permission to use the generic table tools, such as the SE16, SM30 transactions, etc. , you need to verify that the relevant tables may be provided through other transactions. The actual function of the alternative application should not be used.
Default permissions already included
You can implement the first request for additional verifications when performing document transactions by using document validation. In this example, we assume that the document is posted through an interface and that you want to check permissions for custom authorization objects and/or certain data constellations. There are different dates for document validation. The complete document can always be validated, if only the information from document header (time 1) or document position (time 2) is available to you, this can also be sufficient depending on the scenario. In such cases, you need to create validation at the appropriate times. Before you can write a User-Exit in a validation, you have to make some preparations.
Note that the SAP_NEW_ individual profiles should be retained themselves, so that at any given time, traceability is ensured as to which release and which permission was added. For more information, see SAP Notes 20534, 28175, and 28186. SAP Note 1711620 provides the functionality of an SAP_NEW role that replaces the SAP_NEW profile. If you have added this note, the profile will no longer be used. Instead, you can generate your PFCG role SAP_NEW by using the REGENERATE_SAP_NEW report. When you call the report, in the source and target release selections, type in the appropriate fields, and the role is created for that release difference.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
Only then can the new process be meaningfully inserted into the authorization concept.
For an up-to-date description of the eligibility tests in the EWA, see SAP Note 863362.