Excursus Special feature for authorizations for FIORI Apps under S/4HANA
Development
This list in the AGR_1252 table contains both the organisational fields that are shipped in the standard and the fields that you have collected for organisational fields. Unfortunately, the list does not indicate what kind of organisation field it is. But you can find out: Open the PFCG_ORGFIELD_DELETE programme via transaction SA38. The Organisation Level Value Helper (Orgebene) provides a list of all customer-specific organisation fields, because only these can be converted back to normal Permissions Object Fields. Note the implications if you want to actually run this programme.
Permissions profiles are transported in the standard (since release 4.6C) with the roles. If you do not want to do this, you have to stop the data export in the source system by the control entry PROFILE_TRANSPORT = NO. The profiles must then be created by mass generation before the user logs are matched in the target system. This can be done via transaction SUPC.
Permission implementation
If a user is assigned SAP_ALL, he has all permissions in an ABAP system. Therefore, particular care should be taken in the dedicated award of this entitlement. SAP_ALL can be generated automatically when you transport authorization objects. The SAP_ALL_GENERATION parameter must be maintained in the PRGN_CUST table.
The SAP authorization default values are the basis for role creation and are also the starting point for SAP authorization management. For this purpose, the SU22 SAP authorization default values must be transported via SU25 into the customer-specific SU24 tables. The consistency of the default values should therefore be checked beforehand using the SU2X_CHECK_CONSISTENCY report. If inconsistencies exist, they can be corrected using the report SU24_AUTO_REPAIR. Detailed information regarding the procedure can be found in SAP Note 1539556. In this way, you can not only clean up your SU24 values, but at the same time achieve a high-performance starting position for role and authorization administration.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
Another option is to not assign the SAP_NEW permission to a user.
However, it is not sufficient to focus only on the improvement potentials that have been presented, because it must be ensured that all those points that have not been criticized in the past will continue to fit.