Query the Data from an HCM Personnel Root Record
Unclear objectives and lack of definition of own security standards
Authorizations are used to map the organizational structure, business processes and separation of functions. Therefore, they control the access options of users in the SAP system. The security of business data depends directly on the authorizations assigned. For this reason, the assignment of authorizations must be well planned and executed in order to achieve the desired security.
The security of an SAP system is not only dependent on securing the production system. The development systems should also be considered, since here it is possible to influence the productive system via changes to be transported in the development environment and in customizing or via inadequately configured interfaces. Depending on the conceptual granularity of responsibilities in the development and customizing environment, more detailed authorization checks may need to be performed.
SAP Security Automation
Insert SAP Notes 1656965 and 1793961 into your system. With these hints, the report RSUSR_LOCK_USERS is delivered or extended. This report supports automatic selection and blocking of inactive users. To do this, you have to select the criteria in the selection screen of the RSUSR_LOCK_USERS report, according to which you want to lock or invalidate users. You can determine the choice of users by using various criteria. It is recommended to take into account the period since the last login in the Days since last login field and the password status in the Days since password change field. You have the option to check the result of the selection and view the users found. To do this, select the Test of Selection action in the Select Action pane. You can also choose between the User Lock-outs (Local Lock-outs) and User Unlock (Local Lock-outs) actions in this area. You can set the end of a user's validity by clicking the corresponding options for "today" or "yesterday". Note that you can only set the validity for current users.
However, there is also the situation that eligibility fields are collected at organisational levels. If these permission fields have already been filled with values in the PFCG roles, you must refill these organisation levels after categorising the permission fields as organisation levels. The PFCG_ORGFIELD_ROLES report helps you to do this, which matches all the roles with the organisation level fields, i.e. with the permission fields maintained in the organisation level fields.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
The only way to qualify your UI components is to manually maintain the UIU_COMP authorization object.
However, at the latest during the next review, targeted queries with data combinations - and thus several SUIM query sequences - must be delivered within a short time.