Hash values of user passwords
Organisationally restrict table editing permissions
You will be aware that you do not necessarily have to move in the Customer Name Room when assigning names of PFCG roles and therefore have a lot of freedom. The only limitation here is that you may not use the namespace of the roles that are interpreted by SAP. First, you must agree on the form of the names. A fundamental decision is to define the language in which the PFCG roles must be maintained. Although this does not necessarily have an influence on the role name, since it is the same in all languages, you will certainly have descriptive elements in your role name. The role description and the long text are also depending on the language. It is therefore useful to start the roles in the language which is also used most frequently, and also to cultivate the descriptive texts first in this language. If roles are required in different languages, you can translate the texts.
Finally, you can extend your implementation of the BAdIs BADI_IDENTITY_SU01_CREATE and pre-enter additional fields of the transaction SU01. To do this, complete the appropriate SET_* methods of the IF_IDENTITY interface. For example, it is possible to assign parameters that should be maintained for all users, assign a company, or assign an SNC name.
Authorization objects of the PFCG role
Many companies do not pay enough attention to the topic of authorizations in SAP SuccessFactors. It often seems too complex and confusing. Both the creation of a concept and the harmonization of existing structures often seem like a mammoth task. However, with role-based authorizations, SAP provides a very powerful control tool that remains clear with a little help and documentation.
A new transaction has been added to evaluate the system trace only for permission checks, which you can call STAUTHTRACE using the transaction and insert via the respective support package named in SAP Note 1603756. This is a short-term trace that can only be used as a permission trace on the current application server and clients. In the basic functions, it is identical to the system trace in transaction ST01; Unlike the system trace, however, only permission checks can be recorded and evaluated here.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
Now run the job to collect permission checks on the permission trace.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
You should therefore set up HTTPS for all users to access the Web.