User and authorization management
Permissions with Maintenance Status Changed or Manual
The best way for companies to combat historically grown uncontrolled growth in authorizations is to prevent it. An analysis of whether the current authorization concept is sufficient for the company helps here.
These single roles can also be combined into composite roles. I recently discussed the special features of this in the article "SAP Authorizations Mass Maintenance Single Role Assignments in Composite Roles per Function Module (FuBa) or Transaction Code", but here I would rather discuss the roles and assignment of authorization object field values in role maintenance with the PFCG for an authorization overview.
Customise SAP_ALL Profile Contents
All external services for cross-navigation are stored in the role menu in the GENERIC_OP_LINKS folder. In addition to this information, this folder also contains external services that represent the already mentioned area start pages and logical links. You can delete the latter, as these are duplicates from the other folders or non-relevant external services. Now, to set up correct permissions for the non-manageable external services in the GENERIC_OP_LINKS folder, you can identify the external services you need for your CRM business role and delete all other external services. However, as I said, there is a risk that too many external services will be deleted and cross-navigation or calling the saved searches will no longer work. It is better to move the GENERIC_OP_LINKS folder to a separate role.
The SAP_NEW profile is basically designed to bridge the release differences in eligibility checks after an upgrade and ensure that the established business processes remain executable after an upgrade. The SAP_NEW permission should only be assigned temporarily and only in emergencies in a productive SAP system after an upgrade.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
This fix extends the naming conventions so that namespaces in the /XYZ/ format can be used up to a maximum of eight characters.
If companies wait too long with the cleanup, a complete rebuild of the authorization structure or a new concept may make sense.