Making the RESPAREA responsibility the organisational level
Check current situation
You can send a signed e-mail to the system you want to announce the certificate to. For example, this is a useful alternative when emailing addresses outside your organisation. A prerequisite for this solution is that a signature certificate exists for your SAP system, in whose certificate list the certificate authority certificate - or certificates - of your users have been imported.
Careful preparation is a prerequisite for a successful authorisation check. A functional specification must be created for all customer-specific functionalities. This forces us to think about what the actual requirements of the application are and then describe the possible implementation. In doing so, security-related aspects, such as eligibility testing and allocation, must be taken into account. Define what you can do with this programme and also what you cannot do explicitly! In the case of a permission check, not only the activity to be performed, such as reading, changing, creating, etc. , can be checked. You can also restrict access to records by using specific criteria, such as field content or organisational separators.
Development
Add SAP Note 1695113 to your system. With this note, the RSUSR200 and RSUSR002 reports are extended by the selection of different user locks or validity. In the selection, you can now distinguish whether you want to include or exclude users with administrator or password locks in the selection. In addition, you can select in the report RSUSR200 whether the users should be valid on the day of selection or not. To do this, select whether you want to select the user locks as set (01 set) or not set (02 not set) in the selection screen of the RSUSR200 report in the Locking after Lock section of the User Locks (Administrator) field. This includes local and global administrator locks. In the same section, you can also select the password locks (false logins) as set (01 set) or not set (02 not set). This will filter for users that are locked because of incorrect password messages and for which a password login is no longer possible. You can select these selection criteria together or separately. Alternatively, you can also use the Use only users without locks option and additionally, in the Selecting after the user is valid between user today and user today, select not valid.
Similarly, SAP Identity Management version 7.2 SP 3 and above supports the installation of HANA users and the assignment of roles. You can also use Identity Management to add value to the business roles for creating a user with role assignment in the ABAP system and HANA database.
Authorizations can also be assigned via "Shortcut for SAP systems".
Suitable for this responsible task are, for example, department heads or SAP key users who are familiar with all data access options (cross-module, via report, directly to the raw table, etc.) as well as with the organizational and technical protection measures.
With this note, the RSUSR200 and RSUSR002 reports are extended by the selection of different user locks or validity.