Risk: historically grown authorizations
The Security Audit Log (SAL) has ten different filters in the current releases, which control which events are logged. You can configure these filters via the SM19 transaction. The events are categorised as uncritical, serious or critical.
Armed with this information, it goes to the conceptual work. Describe which employee groups, which organisational units use which applications and define the scope of use. In the description, indicate for which organisational access (organisational level, but also cost centres, organisational units, etc.) the organisational unit per application should be entitled; So what you're doing is mapping out the organisation. It is also important to note which mandatory functional separation must be taken into account. This gives you a fairly detailed description, which in principle already indicates business roles (in relation to the system).
Grant permissions for SAP background processing
If you do not want to use reference users, you can hide the Reference User field for additional permissions via a standard variant for the transaction SU01. The necessary steps are described in SAP Note 330067.
A text file is now created under the appropriate path, containing the desired format with the input parameters. Open the data with Microsoft Excel and set your target value list. To do so, delete the line *ECATTDEFAULT. In the VARIANT column, you can simply use a sequential numbering. Save the file in text format, not in any Excel format.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
However, the authorization check should only take place on three levels.
For more information and implementation guidance, use SAP Note 1500054.