Add New Organisation Levels
Roles and permissions in SAP SuccessFactors often grow organically and become confusing
You know that changing your SU24 data involves mixing the roles in question. Previously, the permission administrators had to select roles from, for example, the SUIM transaction to edit them. Often, the remixing of the respective roles is also forgotten. In order to ensure that you can set the mixing mode for the respective roles directly when maintaining the data in the transaction SU24, the function has been provided here with the respective support packages named in SAP Note 1896191. Correction is used to change the mixing mode for PFCG: On/Off/Roles. The function assigns the shuffle mode to the roles, which corresponds to step 2c of the transaction SU25 (see tip 43, "Customise Permissions After an Upgrade"). You can enable this function by using the value Y for the parameter SU2X_SET_FORCE_MIX in the table PRGN_CUST. The status of the mixing mode can be checked by clicking the button Mixing mode for PFCG: Enquire On/Off. By default, this feature is off. The Roles button (Use in Single Roles) identifies all the roles that the selected application contains and displays them directly in the SU24 transaction. You will receive a list of all matching roles in the SUPC transaction by selecting the Also-to-be-matched roles option, and you can now gradually update the roles.
Optional: S_PATH authorization object: If the test identifies 3 additional permissions checks for individual paths for the S_PATH authorization object, these are checked in the fourth step. The access type and the permission group stored in the SPTH table are checked.
Authorization concepts - advantages and architecture
How is it possible to jump from one transaction to another without checking the eligibility for the target transaction? With the CALL TRANSACTION statement! In this tip, we will explain how you can grant permissions for jumps from one transaction to another using the ABAP CALL TRANSACTION command, or actively determine which checks to perform. The CALL TRANSACTION statement does not automatically check the user's permission to perform the invoked transaction. If no verification takes place in the invoked programme, it must be installed in the calling programme by adding additional features for the eligibility check.
Do you want to customise the settings for the Session Manager, Profile Generator and User Care? Use the parameters in the customising tables SSM_CID, SSM_CUST, SSM_COL, PRGN_CUST and USR_CUST. Here we show you the settings for the Session Manager, the Profile Generator or the User Care. How do I merge the user menu from different roles or disable it altogether? How can the generated passwords be adapted to your needs? How can you automatically perform user master matching after role assignments via the PFCG transaction? And how can you prevent assignments from being transported from users to roles? We'll show you how to make these settings.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
An HR structure could be mapped via this hierarchy.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
If such an external service is removed from the role menu and the PFCG role is generated, the user of this PFCG role does not have permissions to view this external service (see screenshot next page).