Use usage data for role definition
Excursus Special feature for authorizations for FIORI Apps under S/4HANA
Permissions must have both identical maintenance status (default, maintained, modified, manual) and an identical active status (active or inactive). Exceptions represent changed permissions and manual permissions; these are summarised when the active status is identical.
In the simulation overview you will now receive all the information you already know from the authorisation maintenance in the transaction PFCG. The results are presented in a table where each row corresponds to a value interval of a permission. The Object column specifies the authorization object. Use the Active/Inactive column to determine if the permission has been disabled. The Maintenance Status and Update Status columns provide information about the status of the permission and how the permission has been updated. In the Permissions Comparison column, you can find out what exactly changed on the permission, such as whether a permission has been deleted or added anew, or whether the field values in the permission have been updated. You can find information about the field values in the Value Comparison column, which shows whether values have remained the same, whether they have been added or deleted. The values that were actually deleted and added can be seen in the columns from Value to Value (see figure next page). Please note that this is only a simulation. You must still perform the actual mixing process in the permission maintenance. Because reel mixing is not only a factor in upgrade work, the transaction SUPC also provides the ability to call this simulation mode. In the overview of the selected rolls you will find the button Mix which simulates the mixing process.
Determine Permissions Error by Debugging
As part of identifying authorization problems, it should be documented what the risks are if the current situation is maintained. Often, those responsible in the company do not want to make a correction because it causes costs and work. If the current concept works and security gaps are abstract, many people in charge are reluctant to change anything. For these reasons, the first step should be to document what problems and dangers lurk if the current concept is not corrected: First, the risk of fraud, theft, and data privacy and security breaches increases. Documentation can help identify where dangers lie. There is a fundamental problem of financial damage to the company if action is not taken. Another danger is that users will experiment with their authorizations and cause damage that can be avoided by having a clean authorization structure. Also a problem is the increased administrative overhead of granting and managing permissions. The effort increases if the current role assignments are not transparent and optimally structured.
Object Privileges: Object Privileges are SQL permissions that control access to and modification of database objects (as a whole). The type of object (table, view, procedure) determines which database operations can be authorised. Database operations include SELECT, UPDATE, ALTER, DROP, and DEBUG.
Authorizations can also be assigned via "Shortcut for SAP systems".
The generated password is then set as the initial password and must be changed at the next login by the user.
In practice, we have found that this feature is very often used by users.