Authorizations in SAP systems: what admins should look out for
Maintain permission values using trace evaluations
You will be aware that you do not necessarily have to move in the Customer Name Room when assigning names of PFCG roles and therefore have a lot of freedom. The only limitation here is that you may not use the namespace of the roles that are interpreted by SAP. First, you must agree on the form of the names. A fundamental decision is to define the language in which the PFCG roles must be maintained. Although this does not necessarily have an influence on the role name, since it is the same in all languages, you will certainly have descriptive elements in your role name. The role description and the long text are also depending on the language. It is therefore useful to start the roles in the language which is also used most frequently, and also to cultivate the descriptive texts first in this language. If roles are required in different languages, you can translate the texts.
Sometimes implementation consultants are also confronted with the situation that no authorization concept exists at all. This happens, for example, when changes in SAP SuccessFactors responsibilities occur on the customer side or different implementation partners were active in the past. However, a missing concept can lead to errors in the system. Users cannot perform certain actions, or worse, people see sensitive data that they should not see. This can, in the worst case, constitute a DSGVO violation and lead to a fine for the company.
Assignment of critical authorizations and handling of critical users
The SAP authorization concept protects transactions and programs in SAP systems on the basis of authorization objects. Authorization objects enable complex checks of an authorization that are bound to several conditions. Authorizations represent characteristics of authorization objects depending on the employee's activity and responsibility. The authorizations are combined in an authorization profile that belongs to a role. The administrator assigns the appropriate role to the employee via the user master record so that the employee can perform his or her tasks in the system.
Authorizations can also be assigned via "Shortcut for SAP systems".
If you want to know more about SAP authorizations, visit the website "www.sap-corner.de".
If there is a change or difference in applications (changed check marks, suggestions, field values, or new or deleted authorization objects), the USOB_MOD or TCODE_MOD table of the MOD_TYPE is set to M.