SAP S/4HANA: Analysis and simple adjustment of your authorizations
Use table editing authorization objects
We recommend you to transport all these changes. Basically, you should always make changes to organisation levels on your development system and then transport them. If you use multiple clients, you should note that the organisation levels and the proposed permissions are client-independent data, whereas the roles and profiles in question are client-dependent. If you are using more than one client, you must also run the PFCG_ORGFIELD_ROLES report in the other mandates to determine the roles that the new organisation level will contain. With the help of this report, you must then rearrange all the roles listed in the Status column: Orgebene in Role are indicated in red. You can select these roles and then use the Reduce in Roles button to adjust them to the new organisation level.
Describing all configuration options would exceed the scope of this tip. If you need explanations about a customising switch that are not listed here, look for the relevant note about the SSM_CID table. All settings described here can be made via the transaction SM30. You must consider that all settings in the SSM_CUST, SSM_COL, and PRGN_CUST tables are client-independent; only the settings of the USR_CUST table depend on the client.
SAP Data Analytics
For simplicity, we want to explain this example by using the PFCG_TIME_DEPENDENCY background job. This job calls the report RHAUTUPD_NEW or can be executed directly with the transaction PFUD. Imagine that there's no transactional code for this job yet.
For an overview of the active values of your security policy, click the Effective button. Note that not only the attributes you have changed are active, but also the suggestion values you have not changed.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
We would like to point out that after defining and implementing a authorization object, you should no longer change the permission field list, as this will cause inconsistencies.
The shared transport job also contains the complete history of changes to the profiles and permissions, so that obsolete data can also be deleted in the target systems.