Standard authorisation
Lack of know-how
Your system has inactive users? This is not only a security risk, as they often use an initial password, but also creates unnecessary licence costs. There will always be inactive users in your SAP system. There may be several reasons for this. For example, they may be management level users that are virtually unused because they are not using the ERP system. It could also be that employees no longer use their SAP user due to a change of position or that outsiders do not work on the SAP system for a while. In any case, you should ensure that these inactive users are either blocked or invalidated. Up to now, you had to select all inactive users with the help of the RSUSR200 report and then manually transfer them into the SU10 transaction to perform the blocking. You can now do this automatically.
As a second way to automate the mass maintenance of role pipelines, we mentioned the use of business role management. Various solutions are offered on the market that offer this functionality in the same or similar form. Some of these solutions do not use the derivation concept; This has the advantage that the organisational matrix is not limited to organisational fields. However, the major deviation from the standard functionalities of the PFCG role is detrimental to this variant.
Define security policy for users
The user's access to this program is realized by assigning a role that contains the required transaction including the authorization objects to be checked. A role can contain a large number of authorization objects.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
If you want to know more about SAP authorizations, visit the website "www.sap-corner.de".
In the SOS, a recommendation is made for each check to minimise the identified risk.