Best Practices Benefit from PFCG Roles Naming Conventions
Error analysis for authorizations (part 1)
In the SAP standard, there is no universally applicable way to automate the mass maintenance of role derivations. We therefore present three possible approaches: 1) Approach to custom development 2) Automated mass maintenance using the Business Role Management component 3) Use of a pilot note that allows a report for mass update of organisational values in rolls (currently available to selected customers) (BRM) from SAP Access Control.
If the ID is maintained for all affected clients, there is no longer a risk that the six digits used from the fifth position of the generated profile name will be the same. For more information on how to handle generated profiles in complex system landscapes, see Tip 54, "Managing Generated Profile Names in Complex System Landscapes.".
Use system recommendations to introduce security
There is a special feature for roles if the corresponding SAP system is based on S/4HANA. While under SAP ERP only roles with authorizations for the GUI system were relevant, corresponding business roles are required for the applications under FIORI. In addition to the roles in which authorization objects and authorization values are entered, so-called business roles are also required.
Launch the QuickViewer for SAP Query with the SQVI transaction. Create a new query named ZMYSUIM on the entry screen. Enter a description of it and - this is the most important step - specify a table join as the data source. You can now specify your data sources on the following screen. You can select the tables in the menu via Edit > Insert Table (or by pressing the button ). In our case, this would be the AGR_ 1251 table for the Role Permissions Values and the AGR_USERS table for the user assignments in rolls. The system automatically proposes a join of the tables via shared data columns. In our example, this is the name of the role.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
For performance reasons, if you want to archive in shorter intervals, you should always archive all archive objects at the same time and store the PFCG and IDENTITY archive object classes in separate archives.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
It is also possible to enter an authorization object several times in the role using the MANUAL button.