Which challenges cannot be solved with authorization tools alone?
Unclear responsibilities, especially between business and IT
The permissions in the NWBC are handled as well as in the normal SAP Easy Access menu. For example, you can assign transactions and Web Dynpro applications to the individual and collection roles in a defined menu structure in the Role menu. The navigation structure of the NWBC reflects the menu structure and settings of the corresponding PFCG role assigned to the user. The folder structure of the Role menu directly affects the navigation bar that is displayed to the user in the NWBC.
A troublesome scenario you're probably familiar with: You will soon be going live with a new business process and must now derive your roles in 97 accounting circles. Here eCATT can make your life easier. It's time again: If you don't have anyone in your department who likes to press the Copy button for several hours in the PFCG transaction, replace the Derive shortcut, and then customise the Organisation Levels (Origen) in the new roles on the Permissions tab (repeatedly connected to memory), the job will hang on you. Because there is hardly anything more boring, at the latest after one hour the first errors creep in. Whenever you have to roll out new roles, for example for your new premium business, to all your divisions, plants, etc. , the creation of the derived roles is tedious - because SAP does not offer smart mass maintenance. The SAP standard offers various ways to record and play on a massive scale. These tools are generally available for all operations in the SAP system, not just for role maintenance. Therefore, they are also more complex to operate, in order to be able to cover as flexibly as possible all possible application scenarios. eCATT is also no exception, so many users are still afraid to use it. But we can tell you from experience: After the second or third time, the creation of the test scripts is so quick that you'll wonder why you haven't always done it this way.
If an authorization system grows too much over the years and there is no structured approach, the result is uncontrolled growth. If companies wait too long with the cleanup, a complete rebuild of the authorization structure or a new concept may make sense. This must be clarified quickly in the event of a cleanup.
Determine if all recurring external services corresponding to area start pages and logical links have been removed from the GENERIC_OP_LINKS folder. Create a separate PFCG role for this folder. This PFCG role could contain all the basic permissions a user must have in SAP CRM. This includes the permission for the generic OP links. You can transfer this folder to a separate PFCG role by locally specifying the PFCG role that contains the GENERIC_OP_LINKS folder in the new PFCG role under Menu > Other Role >. Now maintain the PFCG role so that only the UIU_COMP authorization object remains active. Disable any other visible authorization objects. These are the authorization objects that allow access to data. You can maintain these authorization objects in the PFCG role, which describes the user's workplace. In the PFCG role that describes the desktop, you can now delete the GENERIC_OP_LINKS folder. If you remix the PFCG role, you will find that many of the unnecessary permissions objects have disappeared.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
In this context, you can use the SAP_NEW profile for support.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
If you have created your own applications, we recommend that you always implement your own permission check and do not just rely on application startup permissions such as S_TCODE, S_START, S_SERVICE, and S_RFC.