Authorizations in SAP BW, HANA and BW/4HANA
Create order through role-based permissions
To support the safe operation of SAP systems, SAP offers a whole portfolio of services. We present the security services offered by SAP Active Global Support (AGS). The security of an SAP system in operation depends on many factors. There are several security features in the SAP standard, such as user management, authentication and encryption capabilities, web service security features, and the various authorisation concepts. Vulnerabilities in the standard software are also regularly fixed in SAP notes and support packages. You are responsible for the safe operation of your SAP system landscapes; so you need to incorporate these features and fixes into your systems. The AGS Security Services support you by bundling the experiences of the AGS into consolidated best practices. We introduce these services and describe how they help you gain an overview of the security of your operational concept.
Locking and validity of the user account is done through the user administrator and is also valid for other authentication procedures. This means that a login via SSO is not possible for an invalid user or a user with administrator lock. We therefore always recommend that you prevent access to the system by setting the validity of users. Setting validity on assigned roles also prevents the user from performing actions in the system, but does not generally prevent them from logging in.
Use SAP_NEW correctly
Configuration validation uses the CCDB's configuration data to reconcile settings. To do this, you define your customer-specific security settings technically in a target system. This contains the specifications for the configuration of SAP systems. You can also define a target system based on the settings of an existing system and adapt it to your requirements. Then you compare the settings of your SAP systems with this target system on a daily basis and get an overview of the deviations. Since there may of course be different security requirements for the systems in your landscape (e.g. development and production systems), you can define different target systems with the appropriate settings. You then start the comparison with a target system for the relevant systems. Alternatively, you can compare to an actual system; For example, this is a useful function in the context of a roll-out.
Do you have questions about the SAP authorization concept? Do you want to revise an existing authorization concept or need help assigning SAP authorizations? Our SAP consultants will be happy to support you in all questions regarding the structure and design of SAP authorization concepts. Based on our many years of experience, we have developed best-practice procedures so that we can support you quickly and cost-effectively both with initial implementations and with challenges during ongoing operations. Arrange a no-obligation consultation and take the next step in your digital transformation.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
Starting with SAP NetWeaver 7.31, the Security Audit Log enables the complete display of longer event parameters in messages.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
In transaction STAUTHTRACE, however, you can also evaluate for specific authorization objects or for specific permission check return codes (i.e. after positive or negative permission checks).