Architecture of authorization concepts
Analysis and reporting tool for SAP SuccessFactors ensures order and overview
You will be aware that you do not necessarily have to move in the Customer Name Room when assigning names of PFCG roles and therefore have a lot of freedom. The only limitation here is that you may not use the namespace of the roles that are interpreted by SAP. First, you must agree on the form of the names. A fundamental decision is to define the language in which the PFCG roles must be maintained. Although this does not necessarily have an influence on the role name, since it is the same in all languages, you will certainly have descriptive elements in your role name. The role description and the long text are also depending on the language. It is therefore useful to start the roles in the language which is also used most frequently, and also to cultivate the descriptive texts first in this language. If roles are required in different languages, you can translate the texts.
Other dangers include admins simply copying user roles, not having control processes for permission assignments, or not following the processes over time. In this context, two things should be clarified: Which SAP user is allowed to access which data? How do the roles differ (especially if they are similar)?
Audit Information System Cockpit
In addition, critical commands should be prohibited from the outset. Examples are EXEC SQL, which allows direct access to database tables bypassing certain security mechanisms, and CLIENT SPECIFIED, which allows access to data in other clients.
When the FIORI interface is called up, different roles (Fiori groups) are associated with factually related FIORI tiles. As an example, here is the group Master Data in which the FIORI tile "Manage Cost Center" can be found.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
Structural authorizations work with SAP HCM Organizational Management and define who can be seen, but not what can be seen.
In this course, existing roles and profiles in authorization management (transaction PFCG) can be extended.