Startseite / BASIS / PFCG
BASIS - SAP Basis
Create and assign authorization roles
Missing org level values in role
Goal: secure and least-privilege system access.
Typical stakeholders: security admin, basis consultant, process owner.
KPIs to watch: critical auth findings, access request lead time, segregation-of-duties conflicts.
Team requests one 'power role' for speed, but it includes purchasing, payments, and admin authorizations.
Consultant note: Split by business process and risk level. Use display roles plus narrowly scoped create/change roles.
Problem: One role combines conflicting purchasing and payment privileges.
Diagnosis: Analyze auth objects and org-level values; run SoD checks against control matrix.
Resolution: Split role by process boundaries (display/post/release), restrict org levels, and retest business tasks.