Even if key users (department users/application support) do not have to develop their own authorization objects and cooperation with SAP Basis is always advantageous, there are often technical questions such as "Which users have authorization to evaluate a specific cost center or internal order?
SAP systems: Control user authorizations with a concept
Behind this RFC connection is a Trusted-RFC connection in the ERP system of the system landscape with the naming convention *_RFC. We recommend that you keep the name of the RFC connection for each ERP system in the system landscape and only change the connection data in the RFC connections. You do not need to customise your PFCG roles for the development, test, and production environments. Note that when mixing the single reel with the reel collectors, you will need to maintain the RFC connection in the roll menu of the pulley!
A prerequisite for the indirect assignment of PFCG roles is a well-maintained organisational model. This may correspond to a line organisation consisting of organisational units to which posts are assigned. Use an organisation chart to visualise the employee structure of the company or department for which you are to assign roles. Assign to the posts the people to whom a user is assigned as an attribute. In addition, you can also include other objects from HR organisation management, such as the posts describing the post and assigning roles.
Authorization tools - advantages and limitations
An overview of the actual relevant information for your system landscape can be obtained from the application System recommendations in the Change Management section of the SAP Solution Manager (transaction SOLMAN_WORKCENTER or SM_WORKCENTER). This application will provide you with a recommendation for the SAP and non-SAP hints to be implemented for the evaluated systems.
Armed with this information, it goes to the conceptual work. Describe which employee groups, which organisational units use which applications and define the scope of use. In the description, indicate for which organisational access (organisational level, but also cost centres, organisational units, etc.) the organisational unit per application should be entitled; So what you're doing is mapping out the organisation. It is also important to note which mandatory functional separation must be taken into account. This gives you a fairly detailed description, which in principle already indicates business roles (in relation to the system).
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
Strengthened password rules (e.g. to change a password regularly or to require certain character types to be used), which are supposed to serve security, do their part.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
To keep track of which users can access which tables, run the SUSR_TABLES_WITH_AUTH report.