SAP S/4HANA® Launch Pack for Authorizations
Solution approaches for efficient authorizations
In principle, the SAP_NEW permission should not be granted in the production system. The Profiles tab displays the generated profiles in the user master record that are associated with a specific user. Here you can also assign manually created permission profiles from the transaction SU02 - even without direct role mapping. In principle, the recommendation is to use the profile generator (transaction PFCG) to generate authorisation profiles automatically. Special caution is taken when you enter generated permission profiles directly on the Profiles tab, as these assignments will be deleted by matching user assignments with the transaction PFUD if no entry is on the Roles tab for the assignment. You have probably assigned SAP_ALL and SAP_NEW to users for whom there should be no restrictions in the SAP system. But what are these two profiles different from each other and why are they necessary?
Add SAP Note 1695113 to your system. With this note, the RSUSR200 and RSUSR002 reports are extended by the selection of different user locks or validity. In the selection, you can now distinguish whether you want to include or exclude users with administrator or password locks in the selection. In addition, you can select in the report RSUSR200 whether the users should be valid on the day of selection or not. To do this, select whether you want to select the user locks as set (01 set) or not set (02 not set) in the selection screen of the RSUSR200 report in the Locking after Lock section of the User Locks (Administrator) field. This includes local and global administrator locks. In the same section, you can also select the password locks (false logins) as set (01 set) or not set (02 not set). This will filter for users that are locked because of incorrect password messages and for which a password login is no longer possible. You can select these selection criteria together or separately. Alternatively, you can also use the Use only users without locks option and additionally, in the Selecting after the user is valid between user today and user today, select not valid.
Debug ABAP programs with Replace
With the new transaction SAIS, you will enter the AIS cockpit, where you will be able to evaluate the various audit structures related to the topic. When performing an audit, under Audit Structure, select one of the existing structures and select a check number in the appropriate field. Audit structures may be subject to different audits; Therefore, you must always select an audit first. To do this, select a verification number or create a new audit. After you select the audit, the audit tree will appear in the cockpit. You can now perform the individual steps of the audit along the definition in the audit tree.
We recommend that you implement all safety instructions of priority very high (1) and high (2) directly. On the other hand, you can implement medium (3) and low (4) security advisories via support packages, which you should also include regularly. If you are unable to insert a support package at the moment, SAP will also provide you with the priority 3 and 4 security advisories. For the evaluation of the security advisories, you should define a monthly security patch process.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
Using these authorizations, any source code can be executed independently of the actual developer authorizations and thus any action can be performed in the system.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
This function can be disabled by customising.