Organisationally restrict table editing permissions
System trace function ST01
The topic-related audit structures are created based on area menus. On the one hand, SAP default audit structures are offered, and on the other hand, you have the possibility to create custom audit structures as area menus. The advantage of the audit structures as area menus is that you can use existing area menus or simply create new area menus. The SE43 transaction gives you an overview of the existing area menus; It is also used to maintain and transport area menus.
If a user is assigned SAP_ALL, he has all permissions in an ABAP system. Therefore, particular care should be taken in the dedicated award of this entitlement. SAP_ALL can be generated automatically when you transport authorization objects. The SAP_ALL_GENERATION parameter must be maintained in the PRGN_CUST table.
Implementing the authorization concept in the FIORI interface
Even more critical is the assignment of the comprehensive SAP® standard profile SAP_ALL, which contains almost all rights in the system. Therefore, it should be assigned to a so-called emergency user at most. The handling of the emergency user should also be specified in the authorization concept, which should be documented in writing. In any case, the activities of the emergency user should be logged and checked regularly. Therefore, it is essential in preparation for the annual audit to check the current, as well as the historical, assignments of SAP_ALL. It is therefore not sufficient to simply quickly remove the SAP_ALL profile from users in the run-up to the annual audit. It must also be proven that the SAP_ALL profile was not briefly assigned for a few days over the audit period. If SAP_ALL assignments did occur, ideally these have already been documented and checked. If this is not the case, it is essential to create documentation that cannot be changed, in which it is proven why the assignment was necessary and that the user has not carried out any critical actions beyond this (filing and review of logging).
The Three Lines of Defense model is used to systematically approach risks that may arise in companies. It integrates operational controls as well as risk management, information security, and internal auditing. It can be used to assess and classify the risks arising from SAP authorizations. The monitoring of risks is incorporated into the processes, so that there is constant control by various bodies. This reduces the risks considerably and ensures a clean authorization assignment.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
Once a matching organizational level is found, the system performs the authorization check for the other fields of the authorization object (e.g., type of object or activity); if the system cannot determine a common organizational level, processing is rejected.
This is also useful because only the application developer can decide what properties the privileges of using the objects in the application should have.