User master data
ACCESS CONTROL | AUTHORIZATION MANAGEMENT FOR SAP®
When it comes to preparing for the auditor, it should definitely be checked whether all critical authorizations, as well as the important parameters, have been correctly assigned or set up in SAP®. The specifications for this should all be defined in the authorization concept documented in writing and must also be consistent with this. In this context in particular, however, it is not always easy to check all the essential points using the SAP® standard on-board tools. This is where the experienced auditors at IBS Schreiber GmbH can provide support.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
The freeware Scribble Papers puts an end to the confusing paper chaos. The tool is also suitable for storing, structuring and quickly finding text documents and text snippets of all kinds in addition to notes.
You can find the evaluation methods in table T77AW. A valid evaluation method for our example is US_ACTGR. To assign the roles indirectly, the following requirements are required: Organisational management must be active, i.e. you must have defined an active plan variant in the client. To be able to use the employee-user connection in a SAPERP-HCM system, Info Type 0105 (Communication) and Subtype 0001 (User ID) must be maintained. To enable role management via organisational management, you must set the HR_ORG_ACTIVE switch in the PRGN_CUST table to YES in the Customising.
Transports
It is very important that critical authorizations are generally subject to a monitoring process in order to be able to ensure that they are assigned in a productive system in a very restricted manner or not at all. Law-critical authorizations in particular, such as deleting all change documents, debugging ABAP programs with Replace, and deleting version histories, must never be assigned in a production system, as these authorizations can be used to violate the erasure ban, among other things. It must therefore be ensured that these authorizations have not been assigned to any user, not even to SAP® base administrators.
It should be noted, however, that the system writes all authorization errors of the user into the memory area of SU53. I.e. if there is a so-called double hit, i.e. several authorization errors occur, only the last error is always in this area. I prefer to have the user run the transaction until the error message "No authorization...", then use the menu to display the error, and send me a screen shot of the first page of output. This way I avoid that the user creates another authorization error when calling transaction SU53, which covers the original one. As a user administrator or role administrator, you can also call SU53 yourself and display the error entry of another user via the menu. However, this does not always work.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
In order to use the statistical usage data, you must first extend the default SAP value of the retention time to a reasonable period of time.
The authorization roles shown in the graphic merely indicate the technical specifications preset by SAP.