SAP Authorizations - A Common Perspective of Developers and Consultants
After all authorizations are maintained, the role must be saved and generated and a user comparison must be performed. However, this should not be a topic here in the article. This can also be done with the transaction PFUD (see comments to the article "SAP BC: Empty user buffer" :-).
You can do without taking obsolete profile data into account by adding the correction from SAP Note 1819126 and then setting the REC_OBSOLETE_AUTHS customising switch to NO in the table PRGN_CUST. This correction is also important because it fixes runtime problems when releasing role transports, resulting from the correction in SAP Note 1614407. As a general rule, you should always run bulk transport sharing in the background.
Set password parameters and valid password characters
Unlike the EWA, the SOS is able to list users that require extensive permissions. So you can maintain a whitelist. We recommend that you deal with the results of the SOS as follows: Verify that all identified users require critical permission. Complete the users who need this permission in the whitelist. Remove this permission from other users.
Depending on the configuration of root data and processes, different permission checks can be relevant, so that it makes sense to adjust the proposed values. If custom applications have been created in the form of Z-transactions, Web-Dynpro applications, or external services, you must maintain suggestion values for these applications to avoid having manual permissions in the PFCG roles. You must ensure that custom applications are not always visible in the SU24 transaction. This is the case for TADIR services and external services. To learn how to make these services available for suggestion maintenance, see Tip 38, "Use the SU22 and SU24 transactions correctly.".
Authorizations can also be assigned via "Shortcut for SAP systems".
For performance reasons, the SAP kernel checks whether a user is authorised in the permission buffer.
So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.
Maintain these in multiple development systems or mandates, and if you now want to transport the rolls with their generated profiles, there is a risk that the profile numbers will be the same, as the profile names consist of the first and third characters of the system ID and a six-digit number.