Map roles through organisational management
You can set up a nightly background job to match the certificates with your customer's own programme. This requires that the certificates can be obtained through an SAP programme.
In both cases the transaction S_BCE_68001410 is started. Here you can search for an authorization object by authorization object, authorization object text, object class and other options.
User & Authorization Management with SIVIS as a Service
Standard permissions required for a functionally fully descriptive role should be maintained accordingly. It is recommended to disable and not delete unneeded permissions, or even entire permission branches. Permissions that have been set to Inactive status are not reinstated as new permissions in the permission tree when they are reshuffled, and those permissions are not included in the profile generation process, and thus are not assigned to a role in the underlying profile.
With these methods, we not only help you with the implementation. You can also maintain and manage the solutions yourself afterwards, or you can trust us to run them for you: We call this Customer Success.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
If the ID is maintained for all affected clients, there is no longer a risk that the six digits used from the fifth position of the generated profile name will be the same.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
Please specify it accordingly.