What to do when the auditor comes - Part 2: Authorizations and parameters
Context-dependent authorizations
If you have created your own applications, we recommend that you always implement your own permission check and do not just rely on application startup permissions such as S_TCODE, S_START, S_SERVICE, and S_RFC. If you want to add your own checks to standard applications, you must first find the appropriate place to implement the check. To develop without modification, SAP offers user-exits or business add-ins (BAdIs) for such cases. Some SAP applications also have their own frameworks in place that allow customisation-free implementation of their own permission checks, such as the Access Control Engine (ACE) in SAP CRM.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
The freeware Scribble Papers puts an end to the confusing paper chaos. The tool is also suitable for storing, structuring and quickly finding text documents and text snippets of all kinds in addition to notes.
When defining the development policy, you should ensure that the appropriate attention is paid to access security. Customised programmes or customisations in the SAP Code Inspector ensure that all developers working in the company comply with these guidelines. Verification of compliance with the development directives should be an essential part of quality assurance before the programmes are used productively. The SE38 and SA38 transactions should not be allocated in the productive system and custom programmes should be included in own transaction codes. Permissions are then set up only for these transactions.
Further training in the area of authorization management
Increasingly, it is possible to make use of automation in the security environment. Although these are not yet used by many companies, they are the next step in digital transformation. By using automation intelligently, companies can free up resources for the innovation topics that really matter. In the future, we can expect both the number and power of automation tools to increase. It is therefore only a matter of time before SAP itself also delivers optimized support in the form of tools as standard.
If you select the SU24 Data Initialisation button, step 1 is the same and you overwrite your SU24 data with the SU22 data for the selected applications. The Auto Sync selection corresponds to step 2a. All new SU22 data will be transferred to the transaction SU24. Modified SU24 data is detected and must be matched manually. However, this information is provided to you in the Determined Synchronisation Status column. If you want to keep your SU24 data as it is for certain applications, select the button Set Status"Verified". To give you more transparency about the impact of your activities, there is a role usage proof via the Roles button. This allows you to check the roles in which the selected applications are used. With the Change Preview selection, you can see which suggestion values would be changed for your selection in the transaction SU24.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
You can now also select the user data by login data.
You can use your own authorization objects to develop permission checks to authorise your custom applications or extend default permissions.