Maintain Authorization Customizing
In this Customizing activity, you can activate or deactivate second-level authorizations, the use of shared memory for role definitions in Risk Management and Process Control, and the role inheritance function.
- If the second-level authorizations setting is active, the user selection for entity-level role assignments is restricted to users who have been assigned the corresponding PFCG role in their user profile.
- If the second-level authorizations setting is deactivated, the user selection for entity-level role assignments is enabled for all users who have been assigned the SAP_GRC_SPC_BUSINESS_USER PFCG role to their user profile.
Role Inheritance for Organizations
By activating the role inheritance for organizations, you can specify that authorizations are to be passed on to lower levels of the organization. Note that setting this checkmark activates the role inheritance for all roles in the organization used by Process Control and Risk Management.
User-Shared Memory for Role Definitions
For performance reasons, you can activate the use of shared memory for role definitions. This stores the definitions of the modeled roles in the shared memory and will improve performance.
However, be aware that the changes in role definitions – made using transaction PFCG – are then not immediately and automatically reflected in a shared memory. For this reason, consider using this option only for your production environment (not in your development and test environments).
Note: You can display the updated role data and see whether the role definitions are up to date by running the refresh report GRFN_SHM_ROLE _CHECK..
- The individual roles must be created and maintained with transaction PFCG.
- Users that are assigned to roles via user-role assignment must first have the corresponding PFCG-modeled role assigned to their user profile if second-level authorizations are active.
In the SAP standard delivery, second-level authorizations and use of shared memory for role definitions are deactivated.
- Select the Active flag to activate one or several of the options.
Eskom Configuration: Not Used – Risk Management (RM) and Process Control (PC)