Which challenges cannot be solved with authorization tools alone?
Starting Web Dynpro ABAP applications
However, the greatest advantage is the consistent use of reference users for performance. The use of reference users reduces the number of entries per user in the user buffer, i.e. in the USRBF2 table. This is because the entries in the user buffer only have to be stored once for the reference user and not more times for the inheriting users. This reduction in the table contents of the USRBF2 table will improve performance when performing eligibility tests.
The background to the mass presence of authorization objects in a PFCG role after a role menu has been created is usually the mass of generic OP links that are not actually necessary for the CRMBusiness role. The existence of proposed values from the transaction SU24 loads the proposed authorisation values associated with the respective external services into the PFCG role, which results in too many unnecessary authorization objects being placed there. By excluding the GENERIC_OP_LINKS folder, you only need to take care of the external services and their authorization objects configured in the CRM business role in your PFCG role. For a user to have all the necessary permissions, you now assign the basic role with the permissions to the generic operating links and the actual role that describes the user's desktop.
Use SAP Code Vulnerability Analyser
The use of suggestion values not only brings advantages when creating or maintaining PFCG roles, but also when maintaining permissions as a rework of an upgrade. Furthermore, these values can be used as a basis for risk definitions. Before creating PFCG roles, it is useful to maintain the suggested values for the transactions used. However, you do not need to completely revise all of the suggested values that are delivered by SAP.
Manual authorization profile - To minimize the editing effort when using manual authorization profiles, you usually do not enter individual authorizations in the user master record, but authorizations combined into authorization profiles. Changes to access rights take effect for all users whose user master record contains the profile the next time they log on to the system. Users who have already logged on are therefore not initially affected by changes.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
The first step in the cleanup process is therefore to find out whether the current authorization concept is sufficient and a cleanup is the best way forward, or whether a rebuild of the authorization concept is necessary.
It is therefore not sufficient to simply quickly remove the SAP_ALL profile from users in the run-up to the annual audit.