Centrally view user favourites
What to do when the auditor comes - Part 2: Authorizations and parameters
In general, you should note that not all relevant change documents of a system are present in the user and permission management. As a rule, authorisation administration takes place in the development system; Therefore, the relevant proof of amendment of the authorisation management is produced in the development systems. By contrast, you will find the relevant user administration change documents in the production systems; Therefore, you should note that when importing roles and profiles in the production systems, no change documents are written. Only transport logs are generated that indicate that changes have been made to the objects. For this reason, the supporting documents of the development systems' authorisation management are relevant for revision and should be secured accordingly.
Certain SAP authorizations, including those for table maintenance (S_TABU_*) require special attention for data protection reasons. These are known as critical authorizations. In the course of authorization planning, a company should determine which authorizations are to be considered critical, which roles may receive which critical authorizations or values for critical authorization fields, and so on. The German Federal Office for Information Security has compiled detailed information on defining critical authorizations.
Assignment of critical authorizations and handling of critical users
A new transaction has been added to evaluate the system trace only for permission checks, which you can call STAUTHTRACE using the transaction and insert via the respective support package named in SAP Note 1603756. This is a short-term trace that can only be used as a permission trace on the current application server and clients. In the basic functions, it is identical to the system trace in transaction ST01; Unlike the system trace, however, only permission checks can be recorded and evaluated here. You can limit the recording to a specific user. You can also use the trace to search only for permission errors. The evaluation is similar to the evaluation of the system trace in the transaction ST01. In transaction STAUTHTRACE, however, you can also evaluate for specific authorization objects or for specific permission check return codes (i.e. after positive or negative permission checks). You can also filter multiple entries.
After defining the roles and generating the corresponding authorization profiles, the individual persons in the company are then assigned to the roles. In the process, the so-called user comparison takes place and the role-specific authorizations are stored in the user master record. The master record contains all information about an SAP user, including authorizations.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
How do I merge the user menu from different roles or disable it altogether? How can the generated passwords be adapted to your needs? How can you automatically perform user master matching after role assignments via the PFCG transaction? And how can you prevent assignments from being transported from users to roles? We'll show you how to make these settings.
The goal of data analytics is to use existing technology, data processing algorithms and statistical methods to support management in the decision-making process.