User and authorization management
For the transport of PFCG roles with their profiles there is also an SAP notice: Note 1380203. If you enter the correction, it is possible to use separate positions for the third and fourth digits of the generated profile name for the definition. In the SAP standard, the name of a generated profile is composed as follows, for example, if the System ID is ADG: T-AG#####. If your other source systems differ only in the second place of the system ID, the profile name does not indicate from which system the profiles originate.
Alternatively, the maintenance of the authorization objects can also be called up via transaction SU21 (report RSU21_NEW). On the left side the individual classes and objects can be selected around then to the authorization object the existing authorization fields and short descriptions as well as over the button "documentation to the object indicate" also the documentation to the object to be called can.
Excursus Special feature for authorizations for FIORI Apps under S/4HANA
Are you already using BAPIs in user care? For example, you can use them to set up a password reset self service. We show you how to do this and what you need to pay attention to. Especially with large system landscapes and systems that are only sporadically used, users often forget their password. Strengthened password rules (e.g. to change a password regularly or to require certain character types to be used), which are supposed to serve security, do their part. Forgotten passwords and the frequently resulting user locks are unfortunately often lost to the user when access to a system is most needed. Unlocking a user and assigning a new password is rarely done in real time, even with large 24-hour support service departments. This problem, which I am sure you are familiar with, does not exactly promote employee satisfaction and productivity. A self-service that uses the Business Application Programming Interfaces (BAPIs) can counteract this.
Now maintain the permissions and organisation levels. If possible, use organisational level values in the note, which you can find well in other numbers later on, i.e. about 9999 or 1234. After generating and saving the role, you will be returned to eCATT. There you will be asked if you want to accept the data and confirm with Yes. You have now successfully recorded the blueprint. Now the slightly trickier part follows: The identification of the values to be changed at mass execution. In the editor of your test configuration, the record you created is located at the bottom of the text box. We can now execute the test script en masse with any input. We need a test configuration for this. In the example Z_ROLLOUT_STAMMDATEN, enter a corresponding name and click the Create Object button. On the Attribute tab, specify a general description and component. On the Configuration tab, select the test script you created earlier in the corresponding field. Then click the Variants tab. The variants are the input in our script. Since we do not know the format in which eCATT needs the input values, it is helpful to download it first. To do this, select External Variants/Path and click Download Variants. A text file is now created under the appropriate path, containing the desired format with the input parameters. Open the data with Microsoft Excel and set your target value list. To do so, delete the line *ECATTDEFAULT. In the VARIANT column, you can simply use a sequential numbering. Save the file in text format, not in any Excel format.
Authorizations can also be assigned via "Shortcut for SAP systems".
This technical migration should definitely be audited by an internal or external auditor.
The article "SAP Basis Basic or finding missing authorizations thanks to SU53 or ST01 Trace" describes this in more detail.