When you add a value in su24 basically you tell the system to put that value by default when you add the object in your role maintenance.

Adding the value within pfcg only adds that value to that specific role.

Hi PT,

There is no direct link between transactions and the auth objects assigned to them via PFCG. Things like config and the way transaction are used have an impact on how the auths are evaluated for a given transaction.

As you know, we use SU24 to update the SAP delivered values to meet the auth checks in our particular implementations or as per our requirements. What this enables us to do is to ensure that when we enter a transaction, all the relevant auth objects and where appropriate fixed values are pulled through (so if you know that different usages of that tx requires different values then add the object in SU24 but leave the relevant field blank). If you remove that transaction from the role, the auths that are also required are removed from the role too, as long as the role is not in Manual or Changed status.

If you manually add the auth object then you have no link with the transaction/s that are required to run the object. You can remove the transaction and the auth object value will remain in the role. If not properly managed, you can end up with excess auths still present in roles, particularly with the S_* objects and in areas like FI where it is very easy to skip between transactions through menu options where there is no S_TCODE check, with the auth object check being the only controlling one.

Manually entered objects definitely have their uses as long as they are properly documented and managed when maintaining roles.