PROGRAM START IN BATCH
When creating the permission concept, a naming convention is defined for PFCG roles. Every customer has his own preferences or specifications, which must be adhered to. According to our project experience, some naming conventions are particularly attractive. Naming conventions for PFCG roles can be very diverse. You will have noticed that even the roles provided by SAP do not correspond to a uniform naming convention. So there are roles whose names start with SAP_. There are also roles, such as for the SRM system, that start with the /SAPSRM/ namespace. In this tip we would like to give you some hints and criteria that you can use to help define a naming convention of PFCG roles.
Since a role concept is usually subject to periodic changes and updates, e.g. because new functions or modules are introduced or new organisational values are added, role names should be designed in such a way that they can be expanded. Therefore, in the next step, define the useful criteria you need in your role name.
Run the System Trace for Permissions (ST01 or STAUTHTRACE transaction) to record permission checks that you want to include in the role (see Tip 31, "Optimise Trace Evaluation"). Applications are logged through the Launch Permissions checks.
Launch the QuickViewer for SAP Query with the SQVI transaction. Create a new query named ZMYSUIM on the entry screen. Enter a description of it and - this is the most important step - specify a table join as the data source. You can now specify your data sources on the following screen. You can select the tables in the menu via Edit > Insert Table (or by pressing the button ). In our case, this would be the AGR_ 1251 table for the Role Permissions Values and the AGR_USERS table for the user assignments in rolls. The system automatically proposes a join of the tables via shared data columns. In our example, this is the name of the role.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
New modules, new processes and new user groups very quickly lead to many authorization groups, numerous authorization roles and complex documentation - even assuming the ideal case that companies have used Excel, for example, for all previous implementations and enhancements and have kept the documentation up to date.
If one or the other recommendation has not been implemented, this circumstance should in any case be documented in a comprehensible manner, or it should be possible to provide a comprehensible justification.