Default permissions already included
Essential authorizations and parameters in the SAP® environment
For even more extensive operations on jobs, there must be an authorization for object S_BTCH_ADM, in which the field BTCADMIN (identifier for the batch administrator) has the value 'Y'. This allows cross-client operations on any job. S_BTCH_ADM with value 'Y' thus also contains the objects S_BTCH_JOB action * and S_BTCH_NAM and S_BTCH_NA1 with user/program = *. Therefore, this is a very critical authorization because it allows an identity change. With the changes mentioned in note 1702113, the S_BTCH_ADM object can be used to restrict the authorization assignment more precisely.
It is best if the persons responsible for the system develop role descriptions with their departments in advance and document them outside SAP SuccessFactors (e.g., as in Fig. 2). In case of queries, they can use this basis to explain exactly why someone has been given a certain authorization. The role descriptions and the report help to work in a DSGVO-compliant manner. Since the report updates automatically, companies have no additional effort to document the changes - one less unloved (and often "forgotten") task.
Excursus Special feature for authorizations for FIORI Apps under S/4HANA
Finally, we would like to draw your attention to SAP Note 1781328, which provides the report PFCG_ORGFIELD_ROLES_UPD. This report enables a mass update of existing role derivations. However, you do not use the concept of the organisational matrix, but you have to store the new organisational values directly when the report is called. Therefore, this function requires a high degree of understanding for the adjustments that are running in the background and is therefore only available as a pilot note. This means that this message must be explicitly requested via a customer message and only then will SAP support release it for you if necessary. It is not currently planned to make the information generally available via a support package.
The next step is to maintain the permission values. Here, too, you can take advantage of the values of the permission trace. When you switch from the Role menu to the Permissions tab, you will generate startup permissions for all applications on the Role menu and display default permissions from the permissions suggestions. You can now add these suggested values to the trace data by clicking the button trace in the Button bar.
Authorizations can also be assigned via "Shortcut for SAP systems".
The assignment of combinations of critical authorizations (e.g., posting an invoice and starting a payment run), commonly known as "segregation of duties conflicts," must also be reviewed and, if necessary, clarified with those responsible in the business departments as to why these exist in the system.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
The SAP authorization concept also maps the organization of authorizations within the SAP system.