System Security
Centrally review failed authorisation checks in transaction SU53
SAP authorizations control the access options of users in an SAP system - for example, to personal data. Secure management of this access is essential for every company. This makes authorization concepts, authorization tools and automated protection of the SAP system all the more important in order to meet the stringent legal requirements with little administrative effort.
The Security Audit Log can also log customer-specific events in restricted way starting with SAP NetWeaver 7.31. The event definitions DUX, DUY and DUZ are reserved for customers and delivered with a dummy expression. For these events, you can then define individually configurable messages using the RSAU_WRITE_CUSTOMER_EVTS function block. To do this, you must first identify the additional necessary events and define their message texts and variables. Note that you may not change the meaning of the message and the arrangement of the variables later, as this would prevent older log files from being readable. Finally, you must include the new message definitions in your filters (transaction SM19). You will find the corrections and an overview of the required support packages in SAP Note 1941526. Since the use of this functionality requires extensive knowledge about the Security Audit Log, it is important that you also consider the recommendations in SAP Note 1941568 and that you can be supported by a basic consultant.
Set password parameters and valid password characters
In order to make a well-founded statement about the complexity and the associated effort, a fundamental system analysis is required in advance. The results obtained from this form an excellent basis for estimating the project scope and implementation timeframe.
Another important authorization object for background processing is the object S_BTCH_NAM, which allows a user to run the steps of a job under another user (see SM36 -> Edit step). Here, a name other than the user's own can be entered in the user field of a step. The prerequisite is that the job scheduler has an authorization for the object S_BTCH_NAM, which contains the name of the step user, and that the step user exists in the same client as the job scheduler itself. From 4.6C: The step user must be of type Dialog, Service, System or Communication.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
In the transaction, you can modify SCUM to change the field allocation properties so that fields that were originally globally distributed across the ZBVs are also locally maintainable.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
The General Data tab allows you to specify users, project managers, project times, and the language for the information texts.