Further training in the area of authorization management
Assignment of critical authorizations and handling of critical users
DDIC: DDIC is the only user able to log in or make changes to the ABAP Dictionary during installations and release changes. It is also used in the client 000, e.g. for certain jobs or Unicode conversions. DDIC exists in all clients except 066. Safeguard measures: In all systems (except for client 000 due to upgrade features), set DDIC to the System user type. If necessary, you can switch it back to a dialogue user using the Emergency User. Change the password, assign the user to the SUPER user group, and log it with the Security Audit Log.
You can do without taking obsolete profile data into account by adding the correction from SAP Note 1819126 and then setting the REC_OBSOLETE_AUTHS customising switch to NO in the table PRGN_CUST. This correction is also important because it fixes runtime problems when releasing role transports, resulting from the correction in SAP Note 1614407. As a general rule, you should always run bulk transport sharing in the background.
What are the advantages of SAP authorizations?
The view of the executable transactions may differ from the transactions for which the user has permissions, because the RSUSR010 report displays only the transactions that are actually executable. Not only does the transaction need to be started by the S_TCODE authorization object, but the following conditions must also be met: For certain transactions, there are additional permission checks that are performed before the transaction starts. These eligibility objects are then additionally entered in the transaction SE93 (Table TSTCA). For example, queries against the P_TCODE, Q_TCODE, or S_TABU_DIS authorization objects. The transaction code must be valid (i.e. entered in the TSTC table) and must not be locked by the system administrator (in the SM01 transaction).
The P_ABAP (HR-Reporting) authorization object is not required to execute reports, but is intended to improve performance during execution. In addition, it can be used when reports require permissions for info types that the user should not receive in other cases, which is more common. For example, the right to display information type 0008 (basic salary) is also required for the execution of the travel statement reports. The Invoice Payer Programmes also require P_ABAP permissions to process personal data.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
However, it is not sufficient to focus only on the improvement potentials that have been presented, because it must be ensured that all those points that have not been criticized in the past will continue to fit.
Since unstructured authorizations not only create security and data protection gaps, but also complicate administration and cause problems during audits, unnecessary authorizations should be avoided.