Implementing CRM Role Concept for External Services
Schedule PFUD transaction on a regular basis
These single roles can also be combined into composite roles. I recently discussed the special features of this in the article "SAP Authorizations Mass Maintenance Single Role Assignments in Composite Roles per Function Module (FuBa) or Transaction Code", but here I would rather discuss the roles and assignment of authorization object field values in role maintenance with the PFCG for an authorization overview.
Excel-based tools typically do not know the release-specific suggestion values (they often work without the in-system suggestion value mechanism, because they do not use the PFCG transaction). This also means that it is not possible to upgrade rolls with standard SAP tools, such as the SU25 transaction. This also increases the dependency on the external tool, and the authorisation system is further removed from the SAP standard and the best practices recommended by SAP in role management.
Dissatisfaction and unclear needs in the process
I show how SAP authorizations can be assessed and monitored by using the Three Lines of Defense model. This method can be applied even if the model is not used for all enterprise risks. You will learn how to integrate the different stakeholders into the lines of defense and harmonize the knowledge for the process. Also, what tools can be used for controls and cleanups in each case. This ensures, for example, that managers are able to assess the risks and derive measures, and that administrators can technically clean up the risks.
If you want to export the movement data of the productive system to a development system, you should first export user master records and the permission proposal values and archive the complete change documents. After importing, you can then delete the imported change documents, in analogy to the client copy, and then reload and index the original change documents of the development system. The activities described here require administrative permissions for the change documents (S_SCD0 and S_ARCHIVE) and, if applicable, for the table logs (S_TABU_DIS or S_TABU_NAM and S_ARCHIVE). These permissions should be considered critical, and you should assign them to a small circle.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
After the hint has been inserted, the transaction SU10 will be expanded to include the login data button.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
This is done based on evaluation paths in the org tree.