Authorization objects of the PFCG role
Service User
The authorisation trace is a client- and user-independent trace. The results of this trace are written in the USOB_AUTHVALTRC table and can also be viewed in the STUSOBTRACE transaction by clicking the Evaluate button. This trace data can be used by developers to maintain the permission proposal values in the transaction SU22 (see also Tip 40, "Using the permission trace to determine suggested values for custom developments").
It's never too late to rethink your authorization concept. Start by defining the objective of each role and take advantage of the reporting offered in SAP SuccessFactors.
System Settings
Other dangers include admins simply copying user roles, not having control processes for permission assignments, or not following the processes over time. In this context, two things should be clarified: Which SAP user is allowed to access which data? How do the roles differ (especially if they are similar)?
Since the role menu has been adjusted, the PFCG role must now also be adjusted. To do this, go to the Permissions tab and select the Change Permissions Data button. If you are using Expert mode, make sure that the Alten Stand default is read and match with new data. Now the new suggested values for this external service are loaded. After you have maintained the PFCG role, you can generate the profile and insert it immediately.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
To do this, you must first identify the additional necessary events and define their message texts and variables.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
The report PFCG_ORGFIELD_DELETE serves for this purpose.