Reset passwords using self service
Authorization concepts - advantages and architecture
Furthermore, the statistical data of other users (user activities, such as executed reports and transactions) should be classified as sensitive, since it may be possible to draw conclusions about work behavior using this data. This data can be displayed using transaction ST03N, for example. Access authorizations to the two types of data mentioned above should be assigned only very restrictively.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
The freeware Scribble Papers puts an end to the confusing paper chaos. The tool is also suitable for storing, structuring and quickly finding text documents and text snippets of all kinds in addition to notes.
If you have developed your own permission checks to use them in your own programmes or to make extensions to the SAPS standard, it is essential that you maintain the Z authorization objects as suggestion values for the respective applications. Thus, they do not have to be reworked manually in the respective roles. In addition, you have created a transparent way to document for which applications your customer's permissions are available. Last but not least, a well-managed suggestion value maintenance helps you with upgrade work on suggestion values and PFCG roles. This ensures that your changes and connections to the respective PFCG roles are retained and new permissions checks for the new release are added to the applications.
Implementing the authorization concept in the FIORI interface
You can access the ABAP Test Cockpit from the context menu of the object to be checked via Verify > ABAP Test Cockpit. Note that the global check variant of the Code Inspector that you created in the transaction SCI and that is entered as the default in the transaction ATC (ATC configuration) includes the security tests of the extended programme check of the SAP Code Vulnerability Analyser.
In the foreground, important SAP reports on the subject of role and authorization administration were presented. Since these and the entire SAP system are known to be based on ABAP coding, the analysis of the source code is just as important, especially when using in-house developments. These in-house developments often present serious security vulnerabilities because they have insufficient authorization checks in the coding. To search for explicit strings and to categorize the in-house developments accordingly, the report RS_ABAP_SOURCE_SCAN can be used. This allows existing programs in the backend to be explicitly checked for specific check patterns by the authorization administrator and any errors to be corrected by the relevant developers. Authorization-relevant check patterns for such a scan are, for example, "AUTHORITY-CHECK" or SQL statements such as SELECT, UPDATE or DELETE. The former checks whether authorization checks are present in the source code at all. The check for Open SQL patterns analyzes the code structure for direct SELECT, MODIFY or INSERT statements that must be avoided or protected on the authorization side. The best practice measure in this case is to use SAP BAPIs. The preventive best practice would be to involve developers and authorization administrators equally during the conceptual design of the custom development.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
Roles can be assigned to users directly through user management in the SU01 transaction, role maintenance in the PFCG transaction, or mass change of users in the SU10 transaction.
This improves basic management of your existing security concept and protects you against external and internal intrusions.