SAP Authorizations Roles and permissions in SAP SuccessFactors often grow organically and become confusing - SAP Corner

Direkt zum Seiteninhalt
Roles and permissions in SAP SuccessFactors often grow organically and become confusing
SAP license optimization
SAP_NEW represents a specific permission profile that summarises the concrete permission changes between two SAP release levels. A distinction should be made between SAP's delivery of the SAP_NEW profile and the generation of an SAP_NEW role with a corresponding profile by you as a SAP customer (see also the SAP hint 1711620). Depending on the authorisation tracking procedure, the SAP_NEW permission can be assigned to any user in a development and quality assurance system immediately after the technical system upgrade. However, the goal is to assign to each user in the production environment only permissions that they need for their business operations. In the context of upgrades, the correct permissions must be determined and integrated into the corresponding permission roles.

Define explicit code-level permission checks whenever you start transactions from ABAP programmes or access critical functions or data. This is the easiest and most effective defence to protect your business applications from misuse, because programming-level permission checks can ensure two things: Incomplete or incorrect validation of the executed transaction start permissions will result in compliance violations. Complex permission checks can also be performed adequately for the parameterized use of CALL TRANSACTION.
Set Configuration Validation
In order to provide user authorisation support, you often need their information. However, there is also the possibility to view missing permissions centrally for all users. If a user has a permission issue, a ticket is usually displayed at support. However, it is difficult for a support worker to understand permissions errors because they have different permissions and are often missing detailed information about the application where the permission error occurred. In practice, therefore, support staff often help themselves by asking the user to send a screenshot of the transaction SU53. Because this transaction shows the last failed permission check. In many cases, however, the information displayed there is not helpful to the permission administrator. You may have seen that a screenshot from the SU53 transaction shows a missing permission for typical base authorization objects, such as S_ADMI_FCD, S_CTS_ADMI, or S_TRANSLAT, but you know that your check has nothing to do with the actual permissions problem in the application. So you need the opportunity to see for yourself.

In general, we recommend you to use strong encryption mechanisms and to switch most users to an SSO login. You should then delete the hash values of the user passwords as described above. For release-dependent information on SNC client encryption, see SAP Note 1643878.

The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".

You can add your permission suggestions from the trace using the Object > Insert objects from Permissions Trace > Local (see Tip 40, "Use Permission Trace to Determine Suggest Values for Custom Developments").

If you want to know more about SAP authorizations, visit the website

Now maintain the permissions and organisation levels.
SAP Corner
Zurück zum Seiteninhalt