The yellow traffic lights in PFCG
Hello security gurus,
would someone tell me why the best practices is that all authorization objects in PFCG should be maintained and get green? Are there some real reasons?
Seen from technical side, the authorization-check works fine, no matter if the field of a authorization objects are maintained with ' ' (with green traffic lights) or stay empty (with yellow traffic lights).
Thanks a lot!
Completely agree with you.
Useful is also "place holders" which have no meaning until real values are needed. These are better than open field as you can search for them and use a naming convention for maintaining open fields which determine whether they are destined for:
D = deactivation of the object is probably OK as optional and not used.
4 = SU24 will come later, such as S_DATASET
2 = Reported to SAP as it alsways makes sense
5 = Available in next SP so accept in SU25 (successfull SAP Note)
@ = Leave like this forever. It is a banana until needed.
JBU = Julius Bussche needs to provide infos otherwise we * it
' ', stupid = Some stupid clown hardcoded a space by including the field type.
""""""" = Extreme stupid check
*, ' ' = Double extreme stupid check
This way you can at least mark the fields as any value is sufficient usually, you can search for values which you know you still have work to do on, and when you process SU25 at upgrades (if you stick around...) or read traces then you can easily see what needs to be transfered to the roles or SU24.
In most cases I just use '@' and 'JBU'.
ps: Some fields have input validations. So you cannot use bananas.
pps: Some fields are correctly open in SU24, you need to choose in the role.
ppps: Some bananas persuaded SAP to maintain ACTVT field for transactions such as SU01 and PFCG although they are also display capable - shame on them!