SAP Authorizations Identify Executable Transaction Codes - SAP Basis

Direkt zum Seiteninhalt
Identify Executable Transaction Codes
Note the effect of user types on password rules
Developer and customizing authorizations represent a great potential danger in productive SAP systems. Here, authorizations must be assigned very restrictively, e.g. only to emergency users. The same applies to RFC connections from a development system to productive systems. Such connections can only be used to a very limited extent.

If you want to know more about SAP authorizations, visit the website www.sap-corner.de.

To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.

You use the RSUSR010 report and you do not see all transaction codes associated with the user or role. How can that be? The various reports of the user information system (SUIM) allow you to evaluate the users, permissions and profiles in the SAP system. One of these reports, the RSUSR010 report, shows you all executable transactions for a user, role, profile, or permission. Users of the report are often unsure about what this report actually displays, because the results do not necessarily correspond to the eligible transactions. Therefore, we clarify in the following which data are evaluated for this report and how these deviations can occur.
Maintain batch job suggestion values
The passwords of the users are stored in the SAP system as hash values. The quality of the hash values and thus their safety, however, depends on the hash algorithms used. The hash algorithms previously used in SAP systems are no longer considered safe; They can be cracked in a short time using simple technical means. You should therefore protect the passwords in your system in various ways. First, you should severely limit access to the tables where the hash values of the passwords are stored. This applies to the USR02 and USH02 tables and in more recent releases the USRPWDHISTORY table. The best way to assign a separate table permission group to these tables is to do so, as described in Tip 55, "Maintain table permission groups". In addition, you should also control the accesses using the S_TABU_NAM authorization object.

Users' favourite lists provide valuable information about the transactions they use. With the knowledge of the favourites, you can therefore avoid gaps in your authorisation concept. In the SAP system, each user has the ability to save frequently used functions as their own favourites. In practice, we have found that this feature is very often used by users. If you create a new permission concept, it is useful to include the favourites in the viewing. Because the favourites don't just store used transactions over and over again, but also transactions that users use only occasionally. These occasional transactions could be quickly forgotten when redesigning a eligibility concept. Therefore, we always recommend that you match the transactions you have considered with the favourites stored in your system.

Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.

First, you must agree on the form of the names.

Therefore, it is not possible to add a list of more than 28 users, which can be very difficult for long lists.
SAP BASIS
Zurück zum Seiteninhalt