Implementing CRM Role Concept for External Services
System Users
For each area, the connection to other modules is the first priority. For example, for the Controlling division, the connection to the Finance division is first established by connecting the accounting area (FI) to the cost accounting area(s). The assignment of the cost accounting area to the result area is then an internal allocation within the controlling. If no allocations are found for certain valid organisational values, one of the two modules or the relevant functional area shall not be used for the organisational units of the enterprise.
In line with the maintenance of the SAP transaction permissions proposal values using the SU22 and SU24 transactions, it is advisable to maintain proposed values for web applications. In order for a user to be assigned a suitable rating for an operational feature set in the Web application, the software developers in the transaction SU22 must connect all the authorization objects required for this application to the corresponding Web Dynpro application, i.e. not just S_START. The source of the required authorization objects is usually a developer or permission trace.
Maintain permission values using trace evaluations
When programming your permission check, always check the SY-SUBRC return code and define what should happen in the event of a non-successful permission check, i.e. if SY-SUBRC is not equal to 0. In most cases, an error message occurs and the programme is cancelled.
Every company knows the situation, every year again the auditor announces himself to perform the annual audit and to certify the balance sheet at the end of the audit. In the first part on this topic, the focus was on the relevant processes and documentation. In this part, the concentration is on a deeper level, namely directly in the SAP® system. The specifications for this should already be written down in the SAP® authorization concept.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
When creating or maintaining users in the Central User Administration (ZBV), you must manually start the text matching each time before assigning PFCG roles to provide you with the latest PFCG role definitions.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
The same applies to the Organisation Management buffer if you use indirect role mapping.