Authorizations
Note the effect of user types on password rules
The four important concepts of SAP security first require a certain amount of effort. They not only have to be coordinated, formulated and made available, but also continuously updated and, above all, actively implemented. Nevertheless, the return on investment is high, because they prepare for all eventualities, provide audit security, and also offer a high level of protection for the SAP system and thus for the company itself.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
A note box in which data of all kinds can be quickly filed and retrieved. This is what Scribble Papers promises. At first, the program looks very spartan. But once a small structure is in place, you realise the great flexibility of this little helper.
With "SIVIS as a Service" we present you the best solution for central user and authorization management in SAP. This replaces and protects you from the development end of your central user administration (SAP ZBV). SIVIS offers over 20 functions that you can flexibly combine (SaaS model), e.g. over 1,000 role templates for S/4HANA! This means that a new authorization concept can be quickly implemented! The encrypted connection to your SAP systems enables secure distribution of all changes made in the SAP standard.
Protect Passwords
Without generic table logging, certain changes in the system are not traceable. Learn how to turn on table logging in the system for a large set of tables. The SAP system writes change documents for most changes - but not all. Specifically, changes to tables in which the customising is performed are not recorded in the modification documents. This may lead to a lack of comprehensibility of changes. Avoid this by basically enabling table logging and then setting logging for specific additional tables. You should always enable table logging for all clients. However, during a release upgrade it may be necessary to temporarily disable table logging.
You can use the BAdI SMIME_EMAIL of the SMIME extension spot and implement the CERTIFICATE_RETRIEVAL and CERTIFICATE_SELECTION methods according to your requirements. This BAdI is called whenever an encrypted e-mail is sent. An extension allows you to search for a valid certificate at run time (for example, the one with the longest validity) to the recipient's email address in a source you defined. In the default implementation, the BAdI searches for the certificate in the Trust Manager's address book. For details on the availability of BAdIs, see SAP Note 1835509.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
Now create a PFCG role that includes the report transaction permission and maintain the open permission fields.
Then you create a subroutine with the same name as the User-Exit definition and programme your customised checks (for example, for specific data constellations or permissions).