Even if key users (department users/application support) do not have to develop their own authorization objects and cooperation with SAP Basis is always advantageous, there are often technical questions such as "Which users have authorization to evaluate a specific cost center or internal order?
System trace function ST01
Roles can be assigned to users directly through user management in the SU01 transaction, role maintenance in the PFCG transaction, or mass change of users in the SU10 transaction. However, if the employee changes his or her position in the company, the old roles must be removed and new roles assigned according to the new activities. Because PFCG roles are created to represent job descriptions, you can use organisational management to assign roles to users based on the post, job, etc.
Permissions in the Permission Tree with status are only deleted if the last transaction associated with the permission has been deleted from the Role menu. Delete and recreate the profile and permissions All permissions are created anew. Previously maintained, changed or manual values will be lost and deleted. The exception here is the values that are filled by the organisation levels.
Add New Organisation Levels
The following sections first describe and classify the individual components of the authorization concept. This is followed by an explanation of which tasks can be automated using the Profile Generator.
Authorization objects are defined with the help of transaction SU21. Each SAP transaction is equipped with the required authorization objects in SU24, which control access to specific functions within the respective program. Standard programs / transactions of an ERP system are already equipped with these objects during the initial installation. The same applies to other platforms such as CRM or Solution Manager.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
There is a fundamental problem of financial damage to the company if action is not taken.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
I prefer to have the user run the transaction until the error message "No authorization...", then use the menu to display the error, and send me a screen shot of the first page of output.