Customise evaluation paths in SAP CRM for indirect role mapping
Implementing the authorization concept in the FIORI interface
In the SU53 you get the entry of the user that is stored there, and this may be old. So it is better to let the user himself display the authorization error via the menu. Maybe you create a small docu for all your users how to display the error and where to send it, so a "Cooking Recipe: How To...". In the SU53 error excerpt, the first thing that is displayed is the authorization that the user is missing. So this object has to be analyzed. In the further part of the error message, the permissions assigned to the user are displayed. This information can be used to classify the user with his role set, where he belongs etc. Finally, in our case 1, we now have the missing authorization and must now clarify whether the user should receive this authorization or not. In addition the specialist department must be contacted, which has to decide whether the user receives the permission! It can happen that the problem reported by the user is not an authorization problem at all. Then the last authorization error is displayed in the SU53 area, which is not the cause of the error at all. Therefore, it is always good to have a screen image of the actual error message sent to you as well. It is not uncommon for developers to issue an authorization error of the type "No authorization for..." from their programs, but they have not checked this with a standard authorization check at all, so that the error is not an actual authorization error.
The security check also shows when no redesign is necessary because the authorizations found are compatible with the current concept. The checks allow incorrect authorizations to be identified and rectified without a redesign.
Transports
If you want to use reference users and use the User menu, you should also ensure that users also see the role menus associated with reference users. To do this, enter the corrections in SAP Note 1947910. They include two switches for customising in the SSM_CUST table.
Manual authorization profile - To minimize the editing effort when using manual authorization profiles, you usually do not enter individual authorizations in the user master record, but authorizations combined into authorization profiles. Changes to access rights take effect for all users whose user master record contains the profile the next time they log on to the system. Users who have already logged on are therefore not initially affected by changes.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
On www.sap-corner.de you will also find useful information about SAP basis.
Put the values of the permission trace into the role menu: The applications (transactions, web-dynpro applications, RFCBausteine or web services) are detected through their startup permissions checks (S_TCODE, S_START, S_RFC, S_SERVICE) and can be added to the role menu of your role.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
In this tip we would like to give you some hints and criteria that you can use to help define a naming convention of PFCG roles.