Evaluate licence data through the Central User Management
Implementing CRM Role Concept for External Services
In the SU10 transaction, click the Permissions Data button in the User Selection pane. At this point there is a jump to the report RSUSR002. In the selection screen of the report that appears, you can select the multiple selection to the User field by clicking the arrow button and insert the users from your selection by pressing the button (upload from clipboard).
For the entries in the SPTH table, note that the application defines whether a file is accessed with or without the path. For example, the related transactions ST11 (error log files) and AL11 (SAP directories) behave differently. While ST11 opens almost all files without a path (they are in the DIR_HOME directory anyway), AL11 basically uses fully specified file names with a path. An entry in the SPTH table with PATH = / is therefore misleading. It specifies that the defined access restrictions apply to all files specified by path. However, this only applies to applications that access files using a specified path. However, applications that access files without a path are not restricted; Files in the DIR_HOME directory may be excluded.
Using suggestion values and how to upgrade
In addition, critical commands should be prohibited from the outset. Examples are EXEC SQL, which allows direct access to database tables bypassing certain security mechanisms, and CLIENT SPECIFIED, which allows access to data in other clients.
Here, too, it is possible to create security and an overview with the help of tools for HR authorizations. The tool creates a clear overview of which data certain users are allowed to access in the SAP system. Based on this, it is possible to develop automatic checks that run in the background and regularly monitor whether changes to authorizations have created critical gaps in HR.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
In addition, you should remove the shadow database alterations before copying the client and complete the index build after the copy.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
If the RFC (Remote Function Call) external access permissions are unneatly defined and assigned to the users, the S_TCODE authorization object quickly bypasses the primary protection for bootable applications.