Set up login locks securely
Compensating measures for segregation of duties conflicts
Despite progressive use of web interfaces in the S/4HANA context, batch processing for mass data is still required. However, our experience from customer projects shows that only very few authorization administrators know how to correctly authorize the scenarios. SAP OSS Note 101146 provides a good overview here. In this blog post, we would like to summarize the context for practical use.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
To access business objects or execute SAP transactions, a user needs appropriate authorizations, since business objects or transactions are protected by authorization objects with multiple authorization fields. Authorizations represent instances of generic authorization objects and are defined depending on the employee's activity and responsibilities. The authorizations are combined in an authorization profile (Generated profile), which is assigned to a role. User administrators then assign the appropriate roles (single role or composite role) via the user master record so that the user can use the appropriate transactions for his or her tasks.
Evaluation of the authorization check SU53
The report shows system owners in real time which roles exist in SAP SuccessFactors and which authorizations these roles contain. The report also shows which roles are assigned to which users and whether there are duplicates, for example of groups or authorizations. The user can export this overview at any time.
The SAP standard offers various ways to record and play on a massive scale. These tools are generally available for all operations in the SAP system, not just for role maintenance. Therefore, they are also more complex to operate, in order to be able to cover as flexibly as possible all possible application scenarios. eCATT is also no exception, so many users are still afraid to use it. But we can tell you from experience: After the second or third time, the creation of the test scripts is so quick that you'll wonder why you haven't always done it this way.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
If there is no user master set for SAP*, anyone can log on to the SAP system after rebooting with this user, as the default password will then apply.
If you use configuration validation, we still recommend that you use the AGS Security Services, such as the EarlyWatch Alerts and SAP Security Optimisation Services, which we describe in Tip 93, "AGS Security Services." SAP keeps the specifications and recommendations in the AGS Security Services up to date and adapts them to new attack methods and security specifications.