INTRODUCTION
SM66 Work processes of all instances
A secure SAP system does not only include a good role concept. It is also necessary to check whether a user should (still) have a specific role. Regular verification of role assignment is called recertification. In this blog post, I'd like to introduce you to the need for recertifications and our own tool, EasyReCert. The need for recertification - scenarios: Example 1: The "apprentice problem" Imagine the following scenario: A new employee (e.g. apprenticeship or trainee) will go through various departments as part of his or her training and will work on various projects. Of course, an SAP User will be made available to your employee right at the beginning, which is equipped with appropriate roles. As each project and department passes, the employee repeatedly needs new permissions to meet the requirements. After the employee has successfully completed his or her induction and is now in a permanent position, he or she still has permissions that are not necessary to perform his or her duties. This violates the principle of "last privilede" and represents a potential security risk for your company. Example 2: The change of department The change of department is one scenario that probably occurs in every company. If a change of department does not automatically involve a complete reallocation of roles and the employee simply takes his old permissions with him, critical combinations of permissions can occur very quickly. For example, an employee who has permissions in accounts payable and accounts receivable violates the SoD ("Segregation of Duties") principle and poses a potential security risk to your company. Recertification as part of a revision: The two examples above show that a regular review of role allocation identifies potential security risks for your business and can be addressed.
If you look at everything I've described up front in its entirety, it quickly becomes clear which direction things are headed: the SAP basis will increasingly move toward an SRE-centric environment over the next decade. This is what the future of SAP looks like, and I look forward to an exciting journey.
System changeability and client settings
Select the transport order from the development system that was rejected in the quality system. This is technically repackaged into the Q-System in a new order and transported to the quality system. At this point you will again have the possibility to perform the approval step you really want to perform.
If you have already defined a Queue, but the Queue does not meet its requirements or has encountered errors, you can delete it again. Note that your system is inconsistent when you delete the queue after objects have been imported (for example, after an error in the DDIC_IMPORT step and following). The deletion in these SPAM steps should only be used for troubleshooting and you should repeat the insertion of the support packages as soon as possible. Note that starting with SPAM/SAINT version 11, you cannot delete the queue after the DDIC_IMPORT step and following. Procedure Select View/Define SPAM in the entry image of the transaction. You will get a dialogue box that displays the current queue. In this dialogue box, select Delete Queue. Result The queue has been deleted. You can define a new queue.
Some missing SAP basic functions in the standard are supplied by the PC application "Shortcut for SAP Systems".
The choice is ignored when a SPAM update is introduced.
According to SAP documentation, the matchups differ as follows: Profile Matchup: "The program compares the currently valid user assignments of the selected single roles with the assignments of the associated generated profiles and makes any necessary adjustments to the profile assignments.