Roles and permissions in SAP SuccessFactors often grow organically and become confusing
SAP Authorization Trace - Simple Overview of Authorizations
However, a full SAP security audit does not end here. In addition, the auditor examines whether the four important concepts of SAP Security, namely the data ownership concept, the proprietary development concept, the authorization concept and the emergency user concept, meet the requirements. Each of them should represent a fully formulated document that, on the one hand, contains all the target specifications for the respective topic and, on the other hand, is consistent with the actual state found during the audit.
In most cases, customizing is performed using transaction SPRO. However, this is only the initial transaction for a very comprehensive tree structure of further maintenance transactions. Most customizing activities, however, consist of indirect or direct maintenance of tables. Therefore, a random check of the authorization structure in this environment can be reduced to table authorizations. In the case of delimited responsibilities within customizing (e.g. FI, MM, SD, etc.), attention should therefore be paid here to an appropriate delimitation within the table authorizations. Independent of assigned transaction authorizations within customizing, a full authorization on table level combined with a table maintenance transaction such as SM30 practically corresponds to a full authorization in customizing. Normal customizing by user departments generally refers to client-specific tables. Access to system tables should therefore be restricted to basic administration if possible.
Error analysis for authorizations (part 1)
There may be other objects associated with the site that you can also assign a PFCG role to. As in our organisation chart, you can assign three different PFCG rolls to the user. You can assign the PFCG roles to either the organisational unit, the post or the post. In this hierarchy, you assign the user as the person of the post. The user is assigned to the person as an attribute and therefore not visible in the organisational model. An HR structure could be mapped via this hierarchy. Since the PFCG roles are not directly assigned to the user but to the objects in the Organisation Management and the user is assigned to the PFCG roles only because of his association with these objects, we speak of an indirect assignment.
It's never too late to rethink your authorization concept. Start by defining the objective of each role and take advantage of the reporting offered in SAP SuccessFactors.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
Do you not want to use SAP's standard password creation rules, but rather make your own password requirements for your users? Do you need to implement internal or external security requirements, such as audit requirements? You do not want to allow certain words as passwords, exclude certain special characters or change the formats of passwords generated by the SAP system? In the following we give you an overview of the possible characters, the existing profile parameters and the customising settings for passwords.
If this test is activated in an AS-ABAP installation (see also SAP Note 1413011), this will affect all clients.