Use the authorisation route to identify proposed values for customer developments
Application Permissions
You can set up a nightly background job to match the certificates with your customer's own programme. This requires that the certificates can be obtained through an SAP programme.
You can still assign roles and profiles to a user if you have the appropriate permissions to these activities. As long as no user group is associated with the user, permissions for any user group will be sufficient. If you assign a user group to the newly created user, all the checks will be repeated for that user group.
Use automatic synchronisation in central user management
Once you have edited the role menu, you can customise the actual permissions in the PFCG role. To do this, click the Permissions tab. Depending on the quantity of external services from the Role menu, the authorization objects will appear. The authorization objects are loaded into the PFCG role, depending on their suggestion values, which must be maintained for each external service in the USOBT_C and USOBX_C tables. You can edit these suggested values in the SU24 transaction. Make sure that external services in the Customer Name Room also have the names of external services and their suggestion values in the tables maintained (see Tip 41, "Add external services from SAP CRM to the proposal values"). Visibility and access to external services is guaranteed by the UIU_COMP authorization object. This authorization object consists of three permission fields: COMP_NAME (name of a component), COMP_WIN (component window name), COMP_PLUG (inbound plug).
The requirements for the architecture of authorization concepts are as individual as the requirements of each company. Therefore, there is no perfect template. Nevertheless, there are topics that should be considered in an authorization concept.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
To do this, use the customising that you will also find in the transaction SAIS under the button Administration of the audit environment.
It must be clear which rights are required for the individual tasks in the system.