Organisational allocation
Roles and permissions in SAP SuccessFactors often grow organically and become confusing
In an SAP® system, authorizations are not the only focus of the auditor. Essential system parameters are also part of the audit. For this reason, it should also be ensured in advance that all parameters are set up in accordance with the company's specifications. The parameters concerned are all those that ensure system and client security. Among other things, it must be ensured that the production system is protected against any kind of changes and therefore no direct development is possible.
Certain permissions that are not relevant until a job step is run are checked at the time of scheduling for the specified step user. This checks whether the selected user is authorised to run the specified ABAP programme or external command. For programmes associated with a permission group, the S_PROGRAM object is checked. External commands test for the object S_LOG_COM.
Default permissions already included
Manual addition of authorization objects to roles is sometimes necessary. However, the start authorizations for actions should be generated into the role exclusively via the role menu. For the following evaluations the table AGR_1251 is used, in which to the roles the authorization objects with their values are stored.
Eligibility objects that were visible in the permission trace are quickly inserted in rolls. But are they really necessary? Are these possibly even critical permissions? A review of the Permissions Concept can reveal that critical permissions are in your end-user roles. We would like to give you some examples of critical permissions in this tip. It is helpful to know which authorization objects are covered by the critical permissions. They must also ask themselves whether the granting of these allowances entails risks.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
Several pop-up windows indicate further care activities.
In many companies, the correct use of P_ABAP is not known.