Lack of definition of an internal control system (ICS)
SAP S/4HANA® Launch Pack for Authorizations
If the FIORI interface is then used under SAP S/4HANA, the additional components must also be taken into account here. Authorizations are no longer made available to the user via "transaction entries" in the menu of a role. Instead, catalogs and groups are now used here. These are stored similar to the "transaction entries" in the menu of a role and assigned to the user. However, these catalogs must first be filled with corresponding tiles in the so-called "Launchpad Designer". It is important to ensure that all relevant components (tile component and target assignment component(s)) are always stored in the catalog. The FIORI catalog is used to provide a user with technical access to a tile. A corresponding FIORI group is used to make these tiles visually available to the user for access in the Launchpad.
SAP authorizations control the access options of users in an SAP system - for example, to personal data. Secure management of this access is essential for every company. This makes authorization concepts, authorization tools and automated protection of the SAP system all the more important in order to meet the stringent legal requirements with little administrative effort.
SAP Authorizations - Overview HCM Authorization Concepts
Typically, users access a table's data through applications rather than directly. If so, you should take precautions and restrict access to sensitive data. End users typically do not access table-level data directly, but the data is displayed in business applications and their display is restricted in context by means of entitlement checks. However, there are cases where generic access to tables via the SE16, SE16N, SM30, SM31 or SM34 transaction is required for administrators, key users, verifiers, etc. For example, a verifier should have read access to all customising tables. However, you do not want to display security-related tables. Key users should be able to access certain reports regularly, but only read information relevant to their work. There are several ways to restrict access to tables by using table tools. This means that users can only access tables or table contents that they want to see. However, we would like to point out that the granting of permissions for these tools in the production environment is considered to be critical to security, since it is very easy to allow access to large amounts of sensitive data in the case of erroneous or excessive permissions. Therefore, only apply these permissions in a restricted way.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
You can also find some useful tips from practice on the subject of SAP authorizations on the page "www.sap-corner.de".
HR authorizations are a very critical issue in many companies.