Context-dependent authorizations
Mitigating GRC risks for SAP systems
Reasons for incorrect organisational levels are values that have been manually maintained in the authorization object itself, instead of using the Origen button, as well as incorrect transports or incorrectly created or deleted organisational levels. Since correct inheritance can no longer occur in such cases, you need a way to reset incorrect values of the organisation levels in the PFCG roles.
If you do not want to use reference users, you can hide the Reference User field for additional permissions via a standard variant for the transaction SU01. The necessary steps are described in SAP Note 330067.
Eligibility proposal values
For performance reasons, the SAP kernel checks whether a user is authorised in the permission buffer. However, only profiles and no roles are loaded into the permission buffer. Calling the SU56 transaction will cause you to parse the permission buffer, first displaying your own user's permission buffer. A pop-up window to change the user or authorization object will appear from the Other User/Permissions Object (F5) menu path. Here you can select the user you want to analyse in the corresponding field. The Permissions > Reset User Buffer path allows you to reload the permission buffer for the displayed user.
However, the greatest advantage is the consistent use of reference users for performance. The use of reference users reduces the number of entries per user in the user buffer, i.e. in the USRBF2 table. This is because the entries in the user buffer only have to be stored once for the reference user and not more times for the inheriting users. This reduction in the table contents of the USRBF2 table will improve performance when performing eligibility tests.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
Reference users inherit the permissions assigned to them to the users with whom the reference user is registered.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
Adapting business processes to legal requirements requires control of users and authorizations.