Application Permissions
Use SAP_NEW correctly
The case that the user buffer is not up to date is very rare. The auth/new_buffering profile parameter sets the value 4 to immediately update the permissions, i.e. changes to the user root or roles or profiles, and write them to the USRBF2 database table without requiring a new login. This value is set by default. The fact that the buffer is not up-to-date is recognised by the fact that existing permissions that are not in the buffer are marked in the transaction SU56 with the note "In the root data but not in the user buffer".
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
Administrative activities are used to control system behavior and make various security-relevant settings. To minimize the risk of a system failure or the creation of a security vulnerability, administrative rights should only be granted to employees in the basic administration. The following list may be supplemented by suggestions from the company's own administration. It contains only the most important authorization objects for each subject area.
Make sense in maintaining proposal values
If you use configuration validation, we still recommend that you use the AGS Security Services, such as the EarlyWatch Alerts and SAP Security Optimisation Services, which we describe in Tip 93, "AGS Security Services." SAP keeps the specifications and recommendations in the AGS Security Services up to date and adapts them to new attack methods and security specifications. If you have identified new security issues within a security service, you can set your target systems accordingly and monitor these aspects in the future.
You should archive all document types at the same time intervals; This is especially true for the US_USER and US_PASS archive objects. It is customary to keep the supporting documents between 12 and 18 months, as this corresponds to the retention periods for the revision. For performance reasons, if you want to archive in shorter intervals, you should always archive all archive objects at the same time and store the PFCG and IDENTITY archive object classes in separate archives. In this case, it may be useful to download the archived revision documents back to a shadow database to make them available for faster review. You can use the following reports: RSUSR_LOAD_FROM_ARCH_PROF_AUTH / RSUSR_LOAD_FROM_ARCHIVE. You can also archive the table change logs with the BC_DBLOGS archive object.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
To install this extension, you will need a kernel patch.
In the description, indicate for which organisational access (organisational level, but also cost centres, organisational units, etc.) the organisational unit per application should be entitled; So what you're doing is mapping out the organisation.