Customising User and Permissions Management
Check the SAP authorization concept
Since at least developers in the development system have quasi full authorizations, as mentioned above, concrete access to a critical RFC connection can therefore not be revoked. Since RFC interfaces are defined for the entire system, they can be used from any client of the start system. Existing interfaces can be read out via the RFCDES table in the start (development) system.
The goal is for SAP SuccessFactors users to maintain an overview of roles and authorizations in the system. Analysis and reporting tools help to achieve this. At ABS Team, we use our own combination of an SAP SuccessFactors solution and external documentation for this purpose. As the first graphic shows, our approach is built on a delta concept: all SAP authorizations and processes function independently of each other.
As an SAP SuccessFactors implementation partner, we are often confronted with complex authorization constellations. For sure: If a consulting company does not implement a process first and the "framework" is missing as a result, the existing SAP authorizations must be analyzed retrospectively and the underlying concept must be understood. Only then can the new process be meaningfully inserted into the authorization concept.
Structural authorizations have a so-called root object, i.e. a starting point and an associated evaluation path. The organization chart of the company is stored in SAP HCM. This makes it possible to see how which positions are linked to each other. If a specific piece of information about an employee is required, it can be read out via a path. At the end there is a list of objects.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
You must note that the system expects the client to be prefixed, and the next step allows you to maintain the chunk in the target language.
Authorization objects should always be defined in advance with the user group and then relate to a specific action within the system.