Emergency user concept
Testing Permission
Determine if all recurring external services corresponding to area start pages and logical links have been removed from the GENERIC_OP_LINKS folder. Create a separate PFCG role for this folder. This PFCG role could contain all the basic permissions a user must have in SAP CRM. This includes the permission for the generic OP links. You can transfer this folder to a separate PFCG role by locally specifying the PFCG role that contains the GENERIC_OP_LINKS folder in the new PFCG role under Menu > Other Role >. Now maintain the PFCG role so that only the UIU_COMP authorization object remains active. Disable any other visible authorization objects. These are the authorization objects that allow access to data. You can maintain these authorization objects in the PFCG role, which describes the user's workplace. In the PFCG role that describes the desktop, you can now delete the GENERIC_OP_LINKS folder. If you remix the PFCG role, you will find that many of the unnecessary permissions objects have disappeared.
We therefore recommend that you schedule a background job on the PFUD transaction, which performs a regular user comparison (see Trick 17, "Schedule PFUD transaction on a regular basis"). By the way, did you know that the auth/tcodes_not_checked profile parameter enables you to disable the transaction startup permissions for the SU53 and SU56 transactions? To do this, enter the value SU53, SU56, or SU53 SU56 for the profile parameter. This means that the end user no longer needs the permissions to run these transaction codes from the S_TCODE authorization object.
Add New Organisation Levels
Do you have questions about the SAP authorization concept? Do you want to revise an existing authorization concept or need help assigning SAP authorizations? Our SAP consultants will be happy to support you in all questions regarding the structure and design of SAP authorization concepts. Based on our many years of experience, we have developed best-practice procedures so that we can support you quickly and cost-effectively both with initial implementations and with challenges during ongoing operations. Arrange a no-obligation consultation and take the next step in your digital transformation.
For an authorization concept, a clear goal must be defined that is to be achieved with the help of the concept. This should list which regulatory requirements the respective system and the associated authorization concept must take into account. In this way, the legal framework is defined, which is a legal necessity for successful implementation.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
In order to nevertheless offer a procedure that is manageable and easy to handle, the SAP authorization concept was implemented on the basis of authorization objects.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
It must be clear which rights are required for the individual tasks in the system.