Limitations of authorization tools
Security in development systems
Even the best authorization tools cannot compensate for structural and strategic imbalances. Even a lack of know-how about SAP authorizations cannot be compensated for cost-effectively by means of tools.
If, after an upgrade or after inserting a support package, you have used the SU25 transaction with steps 1 or 2a to bring suggested values to the latest SAP system state, you must restore the suggested values to the customer's organisation levels with the PFCG_ORGFIELD_UPGRADE report. To do this, you must run the report for each field, with the report's search engine showing only the affected organisation levels.
Transactional and Native or Analytical Tiles in the FIORI Environment
You can influence the default behaviour of various transactions and parameters with the customising switches for the maintenance of Session Manager and Profile Generator as well as the user and permission management. The SSM_CID table gives you an overview of all customising switches supplied by SAP, specifying the relevant tables SSM_CUST, SSM_COL, PRGN_CUST and USR_CUST. The short description of the customising switch refers to the relevant and current SAP references. The actual settings can be found in the SSM_CUST, PRGN_CUST and USR_CUST tables.
This report has two functions: PFCG role consolidation - Identical roles are grouped into a single user base when validity periods overlap or connect directly to each other. Select the users, user groups, or roles to apply these rules to in the Selection Criteria pane. Deleting Expired PFCG Scrolls - If you uncheck Expired Mappings, Expired Scrolls will be removed from the user's root.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
The implementation of SAP Note 1870622 provides a feature enhancement for the SE97 transaction.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
In addition, you should also pay attention to the TARGET_SYS field, since favourites can also be entered for other systems, in this case an RFC target system is entered under TARGET_SYS.