Authorization Variants in PFCG

Have you ever changed the default authorization values, causing the authorization field status to switch from “Standard” to “Changed”?

Did these changes lead to audit issues?

Are you frequently modifying SU24 check proposals to keep the object status as “Standard”?

If your answer is Yes for these questions, this article is the answer!

The problem statement:

As mentioned, the biggest problem with maintaining authorizations is BREAKING OF MAPPINGS between SU24 & PFCG. The authorization proposals suggested by SU24 by default may have to be modified by the Security administrators during the profile maintenance. For example:

S_USER_GRP is proposing ACTVT 01, 02, 03 by default, but during the role definition, the Security administrator is advised to maintain with only ACTVT 02, 03 due to business requirements.

When the ACTVT 01 is removed from the standard proposals, the status of the object will be set to “Changed” which is often not agreed by the auditors.

Further, this is not an industry recommended approach too.

SU24N – How different is it from SU24? Is this the answer?

SU24N is available with basis component (SAP_BASIS)754 and 755 (release) and in 2021, SAP merged it with SU24.

With SU24, only one set of proposals can be defined, which often leaves some of the fields open because they had to be maintained directly in the roles. With the latest development of SU24, which for a while was called SU24N, it is now possible to build various sets (called variants) of authorization proposals.

On the new APPLICATIONS tab in PFCG, the role administrator can define which variants of the menu t-code an individual needs based on the user roles & responsibilities.

To create a new variant, follow the steps detailed below:

  1. Go to transaction code SU24.
  2. Select Type of Application as Transaction.
  3. Enter SU01 and click Execute.

  4. In the SU24 Data screen, click Create Variant button.
  5. Enter a name for the Variant (for example Z_SU01_CH_LOCK_DSP), enter Short Text, and click Save.
    Note: A workbench request will be created since we are making changes in SU24. Ensure to release this TR and move forward to Quality/Production systems as desired.
  6. For the S_USER_GRP object, maintain the values that are needed (make necessary changes)
  7. Click Save.

Once the variant is created, you can see them in the Applications tab once the transaction code is added in the menu. Refer to the below screen shot:

Follow the steps mentioned below to use the variant in the role while maintaining the authorizations:

  1. Go to PFCG and open the role that has the SU01 T-code in ‘Menu’ tab.



  2. Navigate to the ‘Application’ tab and select the required variant which is created as per the business need.



  3. Go to the authorization Tab and you will be able to get the values maintained for the variant in the SU24 t-code.



You may notice that the status of the object still shows as “Standard”.

Additional Information:

Here are the tables related to authorization variants that might assist you with various reporting requirements:
  • AGR_APPL_VARS– Role Vs Variants
  • USOBCONTAINER– T-CODES Vs Variants
These tables provide essential information to help manage and report on authorization variants effectively.
Leave a Reply

Your email address will not be published. Required fields are marked *

Receive updates on upcoming webinars, the latest case studies, and more directly in your inbox. Stay informed and connected by subscribing to our newsletter.

Stuti

Stuti is an experienced Access Governance consultant who began her career at ToggleNow. With a strong background in SAP security and compliance, she excels in managing and optimizing authorization processes. Stuti’s expertise lies in ensuring seamless role maintenance and audit compliance. She is passionate about helping organizations enhance their security frameworks and streamline access management. Outside of work, Stuti enjoys exploring the latest trends in technology and cybersecurity.

Explore our success stories

A case study on analyzing Custom Transaction codes and updating the Risk Ruleset

In today’s dynamic business landscape, many SAP customers leverage custom transaction codes to streamline operations and enhance efficiency. However, with customization comes responsibility, as it introduces risks such as segregation…

How we helped businesses succeed by providing them with innovative and effective solutions to manage risks

In today’s business landscape, managing SAP systems can be challenging. Many companies struggle with Segregation of Duties (SoD) conflicts and irrelevant transaction codes, making audits cumbersome and increasing the risk…

Case study on SAP Licensing Optimization

Today’s business environment requires the efficient management of SAP licensing, though it can be challenging. This problem can be resolved by Optimus for SAP Applications, developed by ToggleNow, by offering…

Learn how we can help you and your enterprise through the GRC transformation journey. Choose the appropriate option and fill out the form. Let’s get started!

Product demo

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Detailed Discussion

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Partnership Discussions

Lorem ipsum dolor sit amet, consectetur adipiscing elit.