SAP Authorizations Law-critical authorizations - SAP Corner

Direkt zum Seiteninhalt
Law-critical authorizations
SAP Authorizations - A Common Perspective of Developers and Consultants
You can use the Security Audit Log to control security-related events. Learn how to configure it to monitor the operations that are relevant to you. You want to use the Security Audit Log to monitor certain security-related operations or particularly well-authorised users in the SAP system. For example, you can log failed RFC calls system-wide, delete users, or log all activities of the default user, DDIC. For these loggers you need different recording filters and, if necessary, the possibility to select generic clients or users. Therefore, we will show you the settings you can make when configuring the Security Audit Log.

This representation has been chosen to show the differences in the classification of user types, because, despite the Global setting for the distribution parameter of the licence data (in the transaction SCUM), the settings in the ZBV may differ from those of the subsidiary system. In addition, you can add the columns ID in the report: Contractual User Type and ID: Show the value in central, which contains the technical values for the user type. If users on the daughter systems are not relevant for the licence measurement, the value User is irrelevant for the licence measurement in the column Contractual User Type. This value occurs for the following users: - technical user - user is not present - user is not valid - user is of type reference user.
Calling RFC function modules
Now the SAP system is basically able to encrypt emails. However, the system still lacks the recipient's public key. You can manage the required public key information in the Trust Manager's address book. You can find the address book in the Transaction STRUST menu under Certificate > Address Book. Here you can import individual certificates by selecting the corresponding certificate in Certificate > Import Certificate. To get the certificates for all relevant users in this address book via a mass import, use the example programme Z_IMPORT_CERTIFICATES appended in SAP Note 1750161 as a template for a custom programme.

You can also use the SU53 transaction to centrally view failed permission checks. Open the transaction and go to Permissions > Other Users or F5 to the User Selection menu. Enter the user whose permissions have failed in the field with the same name. In the results list, you can see permissions that have failed for each user, as in our example, the missing permission to display the AGR_1251 table. You can see that more than one authorization object appears in this evaluation.

If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.

The assignment of roles does not include any special features.

The website www.sap-corner.de offers a lot of useful information about SAP authorizations.


Before you can start upgrading the suggestion values and roles, you need to consider a few things.
SAP Corner
Zurück zum Seiteninhalt