Cooperation with internal support
Personalisation of role in PFCG / user in SU01
In this article on SAP Security Automation I would like to take a look at the future of automated processes in the SAP Security area. For many companies, the topic of security automation still offers a lot of potential in terms of time savings and process optimisation. Our daily work environment offers numerous tasks that could be handled excellently automatically. For this reason, in this article I present two of the possibilities that already exist in the broad area of security automation. Security Automation via SAP Security Check The first option of Security Automation, which I want to introduce here, is the automatic verification of the existing permissions. Have you ever wondered who has critical permissions in your SAP system? And have you ever tried to do this by hand? Depending on the level of expertise and experience of the privilege administrator, this is a time-consuming work. If an audit is also announced and the SAP system is to be checked for critical permissions and segregation of duties, then it is very difficult to meet all requirements and secure the eligibility landscape in this respect. For this reason, various vendors provide solutions to automate the verification of the permission system with regard to critical permissions and segregation of duties using tool support. This allows permission administrators to use their valuable time to correct the errors rather than just looking for them. For example, we use a tool that runs through the verification of over 250 rules. We then get an evaluation of which rules are violated and which points are correct. A simple example of such rules is the use of the SAP_ALL profile. Another would be to grant the jump permission in debugging (S_DEVELOP permission object with the ACTVT = 02 field). These are two relatively simple examples of Security Check tools' rulebook. In addition, queries are also made, which are located in the field of Segregation of Duties. Using this tool allowed us to move from manual validation of critical permissions to an automatic process.
I recommend that you schedule the background job PFCG_TIME_DEPENDENCY with the report RHAUTUPD_NEW. Scheduling the RHAUTUPD_NEW report with two variants has proven to be a best practice: Once a day before users log on for the first time (e.g. midnight or very early in the morning). This way the users are synchronized once a day. Once a month (or even once a week) with the option "Perform cleanup", so that obsolete profiles and user mappings are regularly cleaned up. Also handy: If the naming conventions of your roles allow it, you can also align the report according to different time zones. For example, I have a customer who runs the user synchronization for his users in the USA and Asia at different times, so that the daily business of the respective users is not disturbed.
SCC9 Client copy - copying a client
Only one transaction code can be entered here, otherwise a single role would always be searched, which includes all transactions searched for and is assigned to the respective user. However, since the transactions can also be assigned to the user via different roles, this would not be useful. If you use the above Input variants are also only considered transactions that have been maintained in the role menu. If it is not certain whether the transaction was entered in the menu or in the S_TCODE privilege object of the role, up to four transactions can also be checked by searching through the S_TCODE permission object. Important is the attention and appropriate use of the AND/OR relationship. After the query is executed, the roles that contain the requested transaction and are associated with the user are now displayed. If you use the search through the S_TCODE permission object, the following result page appears. When looking at the result, in addition to limiting the number of transactions that can be entered, another drawback of this variant becomes apparent: Although both associated roles are displayed, at first glance it is not possible to see which transaction is contained in which role. To do this, the roles would have to be considered individually. If more transactions with user assignment are to be identified at the same time and the role assignment is to be seen directly, the use of the transaction SE16N is recommended.
Within the framework of an innovation team or test laboratory to be created, it is necessary to admit ideas outside of the SAP basis or to consciously use other sources of ideas within and outside the company. These may include business units, external service providers, universities or series of lectures on specific topics.
"Shortcut for SAP Systems" makes many tasks in the area of the SAP basis much easier.
Because each new block also contains information from its predecessor block.
SAP recommends a role design for Fiori permissions based on the defined catalogues and groups in the launchpad.