Check and refresh the permission buffer
Roles and permissions in SAP SuccessFactors often grow organically and become confusing
If you have defined the roles to the extent that the essential processes are depicted, then you will technically check which organisational features they contain (organisational levels, but also cost centres, organisational units, etc.). You then compare the technical result with the result from the consideration of the structure organisation and the business role description. A likely result is that you do not have to use all technical organisational features for differentiation. A possible result is that you want to add fields such as the cost centre to the organisation level.
Changes in customizing and various security-relevant changes, such as the maintenance of RFC interfaces, can be viewed via table change logs. This authorization should only be given to an emergency user.
Organisationally restrict table editing permissions
A careless handling of the permissions with sensitive employee data can go quite nicely in the pants. Prevent uncontrolled and extensive reporting access to your HCM data by properly using the P_ABAP authorization object. In many companies, the correct use of P_ABAP is not known. As a result, there are often false expressions that, in the worst case, allow uncontrolled reporting access to all data in the logical database PNPCE (or PNP). This way, you can again erase your access restrictions, which were previously painstakingly defined in a permission concept. Therefore, it is necessary to test the use of P_ABAP in individual cases and to use the existing limitations. In the following we describe the logic behind this authorization object and what it is important to avoid.
You can schedule background jobs in the SM36 and SA38 transactions, but also in a variety of application transactions. It is important to know that special permissions are not necessary for the installation, modification, etc. of your own jobs. An exception is the release of background jobs; it is protected by a permission. Permissions are also required for the activities on other users' background jobs, and the following authorization objects are available in SAP backend processing: S_BTCH_JOB controls the access rights to other users' jobs. S_BTCH_NAM allows you to schedule programmes under a different user ID. S_BTCH_ADM grants parent permissions that are usually only required by administrators.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
In addition to these requirements, other settings can ensure that the transaction can be performed without verification: Verification of eligibility objects is disabled by check marks (in transaction SU24).
Finally, the check logic provides for a row-level check within a table if you want to restrict access to the table contents depending on an organisational mapping.