Query the Data from an HCM Personnel Root Record
Customise evaluation paths in SAP CRM for indirect role mapping
In the PRGN_CUST table, set the customising switch REF_USER_CHECK to E. This prevents you from using other types of users than reference users. This switch only affects new mappings; You should manually clean up any existing mappings of other user types.
You noticed that the maintenance status of the permissions in PFCG roles changes when you maintain, change, or manually add authorization objects? Find out what the permission status is. When deleting or adding transactions in the role menu of PFCG roles, the respective permissions in the PFCG role have the Maintenance Status Standard. Add or change the permissions, the Maintenance Status changes to either Care or Changed. You may have seen the Maintenance Status Manual before. What are the background to this maintenance status and what do they actually say?
Unclear objectives and lack of definition of own security standards
If you want to set up a new client or take over the movement data of the productive system in a development system, you should also consider the modification documents. If you have a client copy, you should first delete the indexing of the change documents (table SUIM_CHG_IDX), since you can restore the indexing after the copy. To do this, use the SUIM_CTRL_CHG_IDX report without selecting a date and check the Reset Index box. After the copy has been made, delete the change documents that are dependent on the client; This also applies to the client-independent change documents (e.g., proposed permissions, table logs) if you have copied the client to a new system. In addition, you should remove the shadow database alterations before copying the client and complete the index build after the copy. In any case, check the Reset Index box in the SUIM_CTRL_CHG_IDX report!
For the transport of PFCG roles with their profiles there is also an SAP notice: Note 1380203. If you enter the correction, it is possible to use separate positions for the third and fourth digits of the generated profile name for the definition. In the SAP standard, the name of a generated profile is composed as follows, for example, if the System ID is ADG: T-AG#####. If your other source systems differ only in the second place of the system ID, the profile name does not indicate from which system the profiles originate.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
If you want to get more information about SAP basis, visit the website www.sap-corner.de.
This leads you to a concept in which functional and organisational separation is simply possible.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
Of course, you can always adjust the proposed values according to your requirements.