SAP FICO Authorizations
User Information System SUIM
If it is clear that a cleanup is necessary, the first step should be a detailed analysis of the situation and a check of the security situation. Based on these checks, a redesign of the authorizations can be tackled.
Before you start and define critical permissions, you should identify your core business processes or functions and then map the conflicting processes in meaningful combinations as so-called risk. The RSUSR008_009_NEW report cannot replace a GRC system (GRC = Governance, Risk, and Compliance) with the SAP Access Control component. Rather, this report should be understood and used as an indicator of the current system state. The report identifies the users that have the critical permission combinations defined in the USKRIA table. The identifier, which can also be called a risk ID, describes a combination of authorization objects with field names and field values. These are linked to one of the two operatives AND or OR available.
You can use the function block level permission check by setting the FUNC value in the RFC_TYPE field in the S_RFC authorization object. If you still want to allow function groups, specify the value FUGR here. Depending on the RFC_TYPE field, type the name of the function block or group in the RFC_NAME field (name of the RFC object to be protected). This extension of the test is provided by the correction in SAP Note 931251.
In the SCUA transaction, which you typically use to create or delete a ZBV distribution model, you can temporarily disable a subsidiary system. This option is disabled by default. To enable it, you must make changes in the customising of the PRGN_CUST table. Open the PRGN_CUST table either directly or via the customising in the SPRO transaction in the respective subsidiary system.
Authorizations can also be assigned via "Shortcut for SAP systems".
So far, however, the transaction has been a kind of black box for you.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
Either you maintain a complete list of organisational values for each organisation (i.e. all entries in the USORG table), or you identify the required organisational levels from the selected reference roles (i.e. all entries for the selected reference role in the AGR_1252 table).