Essential authorizations and parameters in the SAP® environment
Use SU22 and SU24 transactions correctly
Optional: S_PATH authorization object: If the test identifies 3 additional permissions checks for individual paths for the S_PATH authorization object, these are checked in the fourth step. The access type and the permission group stored in the SPTH table are checked.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
Every action of the emergency user must be traceable, which requires the appropriate configuration of logging components such as the Security Audit Log. After the event, all log files are always evaluated and all details are recorded in documentation. It is also possible to specify in the concept that, in the event of an emergency, extended authorization may be granted to other selected users; this is up to the company to decide.
Maintaining Authorization Objects (Transaction SU21)
The user administration process, i.e. user creation, modification and deactivation, should on the one hand be available in written documented form, either as a separate document or as part of the authorization concept documented in writing, and on the other hand also be carried out in accordance with the documentation. Therefore, a reconciliation should be performed on two levels: on the one hand, it should be ensured that the documentation is up to date and, on the other hand, it should be checked whether the process was also followed in the fiscal year to be audited. Possible deviations should already be prepared argumentatively, special cases can always occur that deviate from the actual process. However, these should be documented in a comprehensible manner so that an external auditor, such as the auditor's IT auditor, can check the plausibility. All documentation should be provided with the essential information (creator, date, version, etc.) and be in a format that cannot be changed (usually PDF). Additional documentation can also be output from the ticket system, provided that the process is consistently documented via the ticket system.
However, the preferred and more comprehensive variant of a programmatic permission check is the use of the AUTHORITY_CHECK_TCODE function block. This function block not only responds to a missing permission when the programme starts, but can also specify that only the NO-CHECK check marks maintained in the transaction SE97 allow external calling from another transaction context. This is determined by the function block and not by the developer.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
Authorizations are no longer made available to the user via "transaction entries" in the menu of a role.
With the introduction of security policy, it is now possible to define your own security policy for System or Service users.