Controlling file access permissions
Use usage data for role definition
The case that the user buffer is not up to date is very rare. The auth/new_buffering profile parameter sets the value 4 to immediately update the permissions, i.e. changes to the user root or roles or profiles, and write them to the USRBF2 database table without requiring a new login. This value is set by default. The fact that the buffer is not up-to-date is recognised by the fact that existing permissions that are not in the buffer are marked in the transaction SU56 with the note "In the root data but not in the user buffer".
Have you ever tried to manually track who among the users in your SAP system has critical authorizations? Depending on your level of knowledge and experience, this work can take a lot of time. If audits have also been announced, the pressure is particularly high. After all, it is difficult to fulfill all requirements regarding SAP authorizations manually.
Features of the SAP authorization concept
Other dangers include admins simply copying user roles, not having control processes for permission assignments, or not following the processes over time. In this context, two things should be clarified: Which SAP user is allowed to access which data? How do the roles differ (especially if they are similar)?
Another option is to not assign the SAP_NEW permission to a user. For example, during the tests to be performed, both the development system and the quality assurance system will experience permission errors. These should then be evaluated accordingly and included in the appropriate eligibility roles for the correct handling of the transactions.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
Understanding the structure and functioning of the system is especially important for IT administration. It is not for nothing that "SAP Basis Administrator" is a separate professional field. On the page www.sap-corner.de you will find useful information on this topic.
You can transfer this folder to a separate PFCG role by locally specifying the PFCG role that contains the GENERIC_OP_LINKS folder in the new PFCG role under Menu > Other Role >.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
Wildgrowth of characters used in user IDs can have negative effects.