Once you have edited the role menu, you can customise the actual permissions in the PFCG role. To do this, click the Permissions tab. Depending on the quantity of external services from the Role menu, the authorization objects will appear. The authorization objects are loaded into the PFCG role, depending on their suggestion values, which must be maintained for each external service in the USOBT_C and USOBX_C tables. You can edit these suggested values in the SU24 transaction. Make sure that external services in the Customer Name Room also have the names of external services and their suggestion values in the tables maintained (see Tip 41, "Add external services from SAP CRM to the proposal values"). Visibility and access to external services is guaranteed by the UIU_COMP authorization object. This authorization object consists of three permission fields: COMP_NAME (name of a component), COMP_WIN (component window name), COMP_PLUG (inbound plug).
At the latest, if it is no longer possible to clearly define which transactions should be included in which roles and which roles a user requires, a correction is necessary. It must be clear which rights are required for the individual tasks in the system.
Search for user and password locks
The role menu of the PFCG role now consists of folders that represent all logical links within a scope start page, and external services that represent the logical links and the area start pages themselves. This means that any external service listed in the Role Menu is eligible for a Area Start Page or Logical Link. If such an external service is removed from the role menu and the PFCG role is generated, the user of this PFCG role does not have permissions to view this external service (see screenshot next page). You will find duplicate, maybe even triple, entries from external services. These are mainly found in the folders of the homepage and under GENERIC_OP_LINKS. You can delete them without any concern, because an external service for a permission must appear only once in the Role menu. For a better overview, it is also useful to rename the external services or folders as they are shown in the SAP CRM Web Client.
The security audit log is evaluated via the SM20 or SM20N transaction or the RSAU_SELECT_EVENTS report. We recommend using the report as you have more options to personalise the evaluation and to include archived logs of different application servers in the evaluation.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
Before you can start upgrading the suggestion values and roles, you need to consider a few things.
SAP's proposed permissions for the S_DATASET authorization object do not provide much help, and S_PATH has virtually no information, because you must activate this authorization object only by customising the SPTH table.