Risk: historically grown authorizations
Reset Manually Maintained Organisation Levels to Roles
SAP authorizations are a security-critical and thus an immensely important topic in companies. They are used not only to control the access options of users in the SAP system, but also the external and internal security of company data depends directly on the authorizations set.
Unlike the EWA, the SOS is able to list users that require extensive permissions. So you can maintain a whitelist. We recommend that you deal with the results of the SOS as follows: Verify that all identified users require critical permission. Complete the users who need this permission in the whitelist. Remove this permission from other users.
Handle the default users and their initial passwords
You can do without taking obsolete profile data into account by adding the correction from SAP Note 1819126 and then setting the REC_OBSOLETE_AUTHS customising switch to NO in the table PRGN_CUST. This correction is also important because it fixes runtime problems when releasing role transports, resulting from the correction in SAP Note 1614407. As a general rule, you should always run bulk transport sharing in the background.
GET_EMAIL_ADDRESS: The example implementation of this method reads the e-mail address from the system's user master record. Adjust the method if you want to read the email address from another source.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
Some of these solutions do not use the derivation concept; This has the advantage that the organisational matrix is not limited to organisational fields.
You can find the relevant texts for the eligibility roles via the menu path: Translation > ABAP Objects > Short Texts In the pop-up window Object Type Selection that appears, select the S3 ABAP Texts node and select the ACGR Roles sub-point.