Evaluation of the authorization check SU53
Development
All external services with their suggested values can be viewed or maintained in the transaction SU24. Access to external services or all CRM functions and data within CRM functions is realised via PFCG roles. To create these PFCG roles, you must first create a role menu. To do this, run the report CRMD_UI_ROLE_PREPARE. You can specify either the name of the CRM Business Role (User Role) or the name of the assigned PFCG role. It is also important that you specify the language in which the PFCG role will be maintained in the appropriate field.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
If you do not maintain the values or set them to a value other than YES, the role menus of the reference user will not be taken into account when setting up the user menu. The two switches are system-wide; It is therefore not possible to define a specific shape for the client. If you set both switches to YES, you will not be able to tell from the user menu entries whether they are from the reference user's or user's role menus. Reference users have another benefit: You can also use it to inherit the contractual user type. A user inherits the classification of the reference user if they do not have any other role or profile mappings with classification, or if they have not been classified manually.
Unclear responsibilities, especially between business and IT
Even more critical is the assignment of the comprehensive SAP® standard profile SAP_ALL, which contains almost all rights in the system. Therefore, it should be assigned to a so-called emergency user at most. The handling of the emergency user should also be specified in the authorization concept, which should be documented in writing. In any case, the activities of the emergency user should be logged and checked regularly. Therefore, it is essential in preparation for the annual audit to check the current, as well as the historical, assignments of SAP_ALL. It is therefore not sufficient to simply quickly remove the SAP_ALL profile from users in the run-up to the annual audit. It must also be proven that the SAP_ALL profile was not briefly assigned for a few days over the audit period. If SAP_ALL assignments did occur, ideally these have already been documented and checked. If this is not the case, it is essential to create documentation that cannot be changed, in which it is proven why the assignment was necessary and that the user has not carried out any critical actions beyond this (filing and review of logging).
Starting with SAP NetWeaver 7.31, the Security Audit Log enables the complete display of longer event parameters in messages. To do this, the maximum storage space for variables in messages has been increased to 2 GB. To play this extension, you need a kernel patch. For the fixes and an overview of the required support packages, see SAP Note 1819317.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
In our eCATT test configuration, the prepared file can now be used to play the recording.
For example, you should increase the value of stat/rfcrec to 30, and stat/rfc/distinct should be set to 1.