A concept for SAP authorizations prevents system errors and DSGVO violations
Make mass changes in the table log
From release 10.1, SAP Access Control supports the creation of users and the assignment of roles and privileges in HANA databases. If you use the concept of business roles in SAP Access Control, you can achieve an automatic installation of the users in SAP NetWeaver AS ABAP and HANA database and the assignment of the ABAP and HANA technical roles (or privileges) when assigning a business role.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
The freeware Scribble Papers is a "note box" in which all kinds of data can be stored. It takes in typed texts as well as graphics and entire documents. The data is then organised in folders and pages.
Access to this data is critical, since the hash values can possibly be decrypted using tools, thus enabling unauthorized logon to the SAP system. Since identical passwords are often used for different systems, the determined password may also be usable for downstream systems. The current or former hash values of the passwords are stored in the tables USR02, USH02, USRPWDHISTORY, USH02_ARC_TMP, VUSER001 and VUSR02_PWD. These tables can be accessed either via classic table access transactions such as SE16 or via database administration transactions such as DBACOCKPIT. The authorizations required for table access via database tools depend on the respective system configuration and should be verified via an authorization trace (transaction STAUTHTRACE), if necessary.
Encrypt e-mails
With regard to the SAP authorization system, roles and the associated authorization objects, fields and values represent the foundation. Therefore, these check criteria are in the special focus of the authorization analysis of security-relevant characteristics of each authorization administrator. The report RSUSRAUTH is used to display role or authorization data in the respective client. The report analyzes all role data that are anchored in the table AGR_1251. This allows you to quickly find and clean up incorrect and security-critical authorizations not only by selecting the maintenance status of the authorizations, but above all by storing certain authorization objects and controlling them. This ad hoc analysis thus offers you a time-saving method of checking many roles at once according to your own critical characteristics. You can then make full use of this program by importing SAP Note 2069683.
Setting the confidentiality or encryption markers in the SEND_EMAIL_FOR_USER method affects the display of the e-mail in Business Communication Services Administration (transaction SCOT). If the email is marked as confidential, it can only be viewed by the sender or the creator of the email. The sender and the creator need not necessarily be identical, for example, if you have entered the system as the sender. The e-mail creator is the one who ran the application in the context of which the e-mail was created. The encryption flag also automatically sets the confidentiality of the email. The e-mail is not stored in the system in encrypted form, but is protected against unauthorised access by the confidentiality flag. However, access by the sender or creator is still possible. You should also note that the subject of the email is not encrypted.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
For this reason, we recommend that you check the information about the use of certain versions of SAP HANA Studio in the SAP Notes.
When defining customised permission fields, you assign a name in the Field Name field that is in your Customer Name Room and assign the corresponding data element and, if desired, a table name for a value help.