Apply User Management Solutions in SAP HANA
Customise Permissions After Upgrade
SAP*: The SAP* user is part of the SAP kernel, and since it is hard-coded in the SAP system, it does not require a user master set. If there is no user master set for SAP*, anyone can log on to the SAP system after rebooting with this user, as the default password will then apply. The user thus has access to all functions, since Authority Checks in this case do not take effect. You can prevent this behaviour by setting the login/no_automatic_user_sapstar profile parameter to 1. If you want to copy clients, you have to set this parameter to 0 again before you do so, because the user SAP* is required for this. Safeguard measures: Despite the parameter setting, the SAP user should have a user master set in all clients. However, you should remove all profiles and lock the user. In addition, change the password, assign the user to the SUPER user group, and log it with the Security Audit Log.
Authorization: An authorization allows a user to perform a specific activity in the SAP system based on a set of authorization object field values. Authorizations allow users to perform actions within the system.
Data ownership concept
Since 2001, SAP has been working with the German-speaking SAP user group (DSAG e. V.) Model rolls for tax inspectors developed and revised over the years. The role definition reflects an interpretation of the DSAG of the concept of tax-relevant data.
In particular, you can derive valuable information about customer transactions, since experience has shown that not all transactions are used. In this context, it is important to mention that you should only use the usage data logged and extracted from the SAP system for the optimisation of SAP role concepts. This information may only be used with the involvement of a co-determination body of your organisation, since this information can of course also be derived from individual users for performance control purposes. However, experience has shown that the use of these data with an early involvement of the institutions of codetermination and the definition of earmarks is uncritical.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
The SAP Code Vulnerability Analyser is integrated into the ABAP Test Cockpit (ATC) and thus available in all ABAP editors such as SE80, SE38, SE24, etc.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
In the following we will show you how to define security policies and how they work.