Unclear responsibilities, especially between business and IT
User Information System (SUIM)
Structural authorizations work with SAP HCM Organizational Management. They primarily define who can be seen, but not what can be seen, based on evaluation paths in the org tree. Therefore, structural authorizations should only be used together with general authorizations. The determination works via a so-called authorization profile. In this profile, the evaluation paths are used to define how to search on the org tree. Function modules can also be stored, which can be used to determine objects from Organizational Management using any criteria. This makes the structural authorizations very flexible.
Determine if all recurring external services corresponding to area start pages and logical links have been removed from the GENERIC_OP_LINKS folder. Create a separate PFCG role for this folder. This PFCG role could contain all the basic permissions a user must have in SAP CRM. This includes the permission for the generic OP links. You can transfer this folder to a separate PFCG role by locally specifying the PFCG role that contains the GENERIC_OP_LINKS folder in the new PFCG role under Menu > Other Role >. Now maintain the PFCG role so that only the UIU_COMP authorization object remains active. Disable any other visible authorization objects. These are the authorization objects that allow access to data. You can maintain these authorization objects in the PFCG role, which describes the user's workplace. In the PFCG role that describes the desktop, you can now delete the GENERIC_OP_LINKS folder. If you remix the PFCG role, you will find that many of the unnecessary permissions objects have disappeared.
Equal permissions
The passwords of the users are stored in the SAP system as hash values. The quality of the hash values and thus their safety, however, depends on the hash algorithms used. The hash algorithms previously used in SAP systems are no longer considered safe; They can be cracked in a short time using simple technical means. You should therefore protect the passwords in your system in various ways. First, you should severely limit access to the tables where the hash values of the passwords are stored. This applies to the USR02 and USH02 tables and in more recent releases the USRPWDHISTORY table. The best way to assign a separate table permission group to these tables is to do so, as described in Tip 55, "Maintain table permission groups". In addition, you should also control the accesses using the S_TABU_NAM authorization object.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
You can also find some useful tips from practice on the subject of SAP authorizations on the page "www.sap-corner.de".
Now, to allow only certain external services, you can do the following: First, identify the external service using the permission trace.