Perform Risk Analysis with the Critical Permissions Report
Query Data from a Local Table
Insert SAP Note 1171185 into your ZBV system. With this notice, the report RSUSR_SYSINFO_LICENSE is delivered, which retrieves and displays the user types from the systems connected to the ZBV. In addition, however, SAP Note 1307693, which contains new functionalities of licence measurement, must be installed on the subsidiary systems connected to the ZBV. In addition, you may need to extend the permissions of the users in the RFC connections to the ZBV's subsidiary systems by the permissions to the S_RFC object with the SUNI and SLIM_REMOTE_USERTYPES function groups. If the SAPHinkling 1307693 is not installed on a subsidiary system, or the RFC user's permissions have not been adjusted accordingly, the RSUSR_SYSINFO_LICENSE report in the application log (transaction SLG1) will issue a warning.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
See SAP Note 1763089 for information on the system requirements and support packages you need to access the new feature. With these support packages the transaction SAIS, the new AIS cockpit, is delivered. The AIS has thus been switched from the previous role concept to thematic audit structures and offers new functions, such as logging all audit activities. The AIS has existed in the SAP system for quite a long time; It is designed as a tool for testing and evaluating SAP systems and is delivered by SAP ERP to the standard. It includes the function of audit structures, a collection of audit functions on the areas of commercial audit and system audit, including their documentation. The commercial audit includes organisational overviews and balance sheet and process orientated functions. For example, this allows you to evaluate information about financial accounting and tax receipts. The AIS system audit covers general system audits and analysis of users and permissions. For example, it includes functionality to check profile parameters or transport.
Task & functionality of the SAP authorization concept
In addition to defining permissions for external RFC access through the S_RFC authorization object, it is possible to prevent external calls to function blocks. From SAP Net-Weaver AS ABAP 7.40 there is the additional SAP Unified Connectivity (UCON) layer. It controls external access to RFC function blocks independently of users or roles and can be configured to suit your needs. All function modules that are to be executable via RFC are entered into the UCON Communication Assembly. If a function block is not stored there, the call will be blocked. UCON has been designed to minimise impact on RFC call performance. The necessary function blocks are identified in the UCON Phase Tool (transaction UCONPHTL), which constantly monitors all external RFC calls and supports an introduction of the UCON Communication Assembly. This allows calls to new function blocks (such as custom developments, support package changes) to be analysed and, if necessary, released for external access. In addition, UCON offers the possibility to review the configuration in an evaluation phase. There are approximately 40,000 RFC-enabled function blocks in an ERP system; Usually no more than a few hundred of them are used. With the use of UCON you therefore increase the security of your system.
In the SU53 you get the entry of the user that is stored there, and this may be old. So it is better to let the user himself display the authorization error via the menu. Maybe you create a small docu for all your users how to display the error and where to send it, so a "Cooking Recipe: How To...". In the SU53 error excerpt, the first thing that is displayed is the authorization that the user is missing. So this object has to be analyzed. In the further part of the error message, the permissions assigned to the user are displayed. This information can be used to classify the user with his role set, where he belongs etc. Finally, in our case 1, we now have the missing authorization and must now clarify whether the user should receive this authorization or not. In addition the specialist department must be contacted, which has to decide whether the user receives the permission! It can happen that the problem reported by the user is not an authorization problem at all. Then the last authorization error is displayed in the SU53 area, which is not the cause of the error at all. Therefore, it is always good to have a screen image of the actual error message sent to you as well. It is not uncommon for developers to issue an authorization error of the type "No authorization for..." from their programs, but they have not checked this with a standard authorization check at all, so that the error is not an actual authorization error.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
Here, the authorizations are either derived from the role menu (through the authorization default values (transaction SU24) or can also be edited manually in expert mode.
In order to be able to take into account the complex relationships in the allocation of the privileges actually needed in a manageable way, privileges in SAP HANA are bundled into roles.