Customers with such a case regularly contact us. Creating a Permission Concept from the ground up is often a time-consuming task. Furthermore, the know-how, which aspects should be dealt with in an authorisation concept and how the corresponding processes can look practical and at the same time audit-proof is often lacking. Our solution: tool-based generation of an individual, written authorisation concept In this situation, we have recommended to our customers the tool-based generation of a written authorisation concept directly from the SAP system. We use the XAMS Security Architect tool, with which we have had good experiences. This includes a template for a revision-proof and comprehensible, written authorisation concept. It includes established best practices for role and entitlement management. The template covers all relevant areas in a permission concept. The included text of the authorisation concept is completely customisable, so that the concept can be tailored to your situation without creating a permission concept from scratch. Dynamically update the written authorisation concept One of the biggest challenges after the development of an authorisation concept is to keep it up to date in the long term and to measure the sustainable implementation in the system. This is achieved by integrating live data such as configuration settings and defined rules directly from the connected system. For example, lists of existing roles or user groups and tables are read from the system each time the document is generated and updated in the permission concept. The following screenshot shows an example of what the appearance in the concept document might look like. Automatically check and monitor compliance with the concept To check compliance with the concept, the XAMS Security Architect includes extensive inspection tools. These cover the rules formulated in the concept and are suitable for measuring the extent to which the reality in the system meets the requirements formulated in the concept.
Basically, an excellent IT knowledge is required. In addition, SAP administrators must of course be particularly competent in this area and be able to deal confidently with all issues relating to SAP solutions. Since they often also work in international companies, it is an advantage if they have a very good command of written and spoken English.
Structure of SAP Basis
You will need to download the support package again. CANNOT_DETERMINE_DATA_FILES: The name of a data file could not be determined because a profile parameter was not configured correctly. Verify the settings using the RSPARAM report. CANNOT_DISASSEMBLE_R_DATA_FILE: Unable to extract an R3trans data file. A possible cause of error is that the appropriate OCS file was not found or the data file could not be opened for writing. An error occurred while transferring a 20K block from the EPS inbox to the /usr/sap/trans/data (UNIX) directory. CANNOT_DISASSEMBLE_D_DATA_FILE: Unable to extract an ADO data file. The reasons are the same as for CANNOT_DISASSEMBLE_R_DATA_FILE. CANNOT_CREATE_COFILE: The cofile could not be created from the corresponding data file. One of the possible causes of error is that
adm does not have write permissions for the /usr/sap/trans/cofiles (UNIX) directory.
In the area of SAP Basis it is necessary to make temporary changes in the security settings of the clients and systems in the course of system updates. You can use the system changeability variable to specify whether changeability of cross-client data, such as programs or menus, as well as client-independent customizing is allowed.
Some missing SAP basic functions in the standard are supplied by the PC application "Shortcut for SAP Systems".
The functionality initially includes a generic repository for user- and role-specific data and centralised access to that data by user and role maintenance.
After one activation of the BW content and some standard jobs, you select one or more systems for which you want to activate UPL.