Rebuilding the authorization concept
Organisationally restrict table editing permissions
Manual authorization profile - To minimize the editing effort when using manual authorization profiles, you usually do not enter individual authorizations in the user master record, but authorizations combined into authorization profiles. Changes to access rights take effect for all users whose user master record contains the profile the next time they log on to the system. Users who have already logged on are therefore not initially affected by changes.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
For a long time, SAP authorization consultants and ABAP developers have disagreed on how to implement authorization object characteristics in the coding. There are two positions: On the one hand, consultants advise never to test for the signal word DUMMY, the constant space or the literal ' '. These tests only superficially check for the existence of an authorization object and do not react to settings in the field specification in the profile of the roles. Moreover, the literal ' ' is then authorized because it is displayed in the transaction STAUTHTRACE. On the other hand, there are situations where development uses these superficial tests to save the user time and the machine resources. If the program determines early on that the user does not have the necessary objects in the user buffer, it may abort before the first SELECT and issue an appropriate error message. Both positions contain a kernel of truth. Let's look at the effects of different programming on a simplified example. The role(s) have only the authorization object S_DEVELOP with the field value DEVCLASS "Z*".
RS_ABAP_SOURCE_SCAN
If you no longer need old audit results, you can archive or delete them with the transaction SAIS via the button (Administration of the Audit Environment). The audit results shall be selected on the basis of the audit structures, the test numbers or the entry date (see figure next page).
The most important security services regarding permissions are the EarlyWatch Alert (EWA) and the SAP Security Optimisation Service (SOS). You compare the settings in your SAP systems with the recommendations of SAP. Both services are delivered as partially automated remote services; You can also use the SOS as a fully automated self-service. The EWA and SOS shall carry out eligibility tests, the results of which shall always be as follows: The heading indicates the check in question. A short text describes the importance of the audited entitlement and the risk of unnecessary award. A list indicates the number of users with the validated permission in the different clients of the analysed SAP system. The SOS also allows you to list the users. In the SOS, a recommendation is made for each check to minimise the identified risk. A final formal description represents the checked permissions. However, not only the explicitly mentioned transactions are evaluated, but also equivalent parameter or variant transactions.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
Many of the authorisation concepts we found in customers were not suitable to meet the requirements.
Secure management of access options in the SAP system is essential for any company.