Maintain proposed values using trace evaluations
In our example, the end user logs on to an SCM system, but can also call ERP transactions from here. To have these ERP transactions available in SAP SCM, create a new PFCGE role in SAP SCM, e.g. ZS:XXXX:ERP_MENU. The ERP transactions that the user should have access to are added to the roles menu by selecting Apply Menus > From Other Role > Destination System. Now select the appropriate ERP system and then select the appropriate PFCG role from SAP ERP. You do not need a profile for this "menu role" because this role only includes the ERP menu. You can now sort the transactions in the Hierarchy pane by using drag and drop or by using the arrow keys as you need them in the NWBC.
In order to provide user authorisation support, you often need their information. However, there is also the possibility to view missing permissions centrally for all users. If a user has a permission issue, a ticket is usually displayed at support. However, it is difficult for a support worker to understand permissions errors because they have different permissions and are often missing detailed information about the application where the permission error occurred. In practice, therefore, support staff often help themselves by asking the user to send a screenshot of the transaction SU53. Because this transaction shows the last failed permission check. In many cases, however, the information displayed there is not helpful to the permission administrator. You may have seen that a screenshot from the SU53 transaction shows a missing permission for typical base authorization objects, such as S_ADMI_FCD, S_CTS_ADMI, or S_TRANSLAT, but you know that your check has nothing to do with the actual permissions problem in the application. So you need the opportunity to see for yourself.
THE "TOP SEVEN"
Furthermore, automation is possible with the help of a customer-specific ABAP programme. To do this, you should take a closer look at the AGR_TEXTS table. The table contains the different text blocks in different languages. Here we show you a section of the table with our example role Z_SE63. Short texts are assigned a value of 00000 in the column LINE, and long texts are assigned a value of 00001 to 0000x. The language keys are displayed in the SPRAS column. An ABAP programme now allows you to write the counterparts for the text fields in the target language into the fields in the tables.
Consulting firms adjust the roles and authorizations in retrospect. This usually means "making the best of it" and making ad hoc adjustments - in other words, not fixing the root cause and cleaning up from scratch. Companies should therefore ask themselves: how can this be avoided? What requirements must a DSGVO-compliant authorization concept fulfill? How can we remain meaningful regarding the authorizations of specific individuals in the system and the purpose of the authorizations?
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
On the right, a new detail with the recording details appears.
However, these should be documented in a comprehensible manner so that an external auditor, such as the auditor's IT auditor, can check the plausibility.