Read the old state and match with the new data
Set up login locks securely
Every SAP system (ERP) must be migrated to SAP S/4HANA® in the next few years. This technical migration should definitely be audited by an internal or external auditor.
In an SAP® system, authorizations are not the only focus of the auditor. Essential system parameters are also part of the audit. For this reason, it should also be ensured in advance that all parameters are set up in accordance with the company's specifications. The parameters concerned are all those that ensure system and client security. Among other things, it must be ensured that the production system is protected against any kind of changes and therefore no direct development is possible.
Maintain table permission groups
Your compliance requirements specify that background jobs that are used should be maintained with permission proposals? We'll show you how to do that. Particularly in the banking environment, there are very strict guidelines for the permissions of background jobs used for monthly and quarterly financial statements, etc. Only selected users or dedicated system users may have these permissions. In order to clearly distinguish these permissions from the end-user permissions, it is useful to explicitly maintain the permissions for specific background jobs with suggestion values, so that these values can be used repeatedly to maintain permissions and are therefore transparent. You may have noticed that in the transaction SU24 you have no way to maintain background job credentials. So what's the best way to do that?
Furthermore, the statistical data of other users (user activities, such as executed reports and transactions) should be classified as sensitive, since it may be possible to draw conclusions about work behavior using this data. This data can be displayed using transaction ST03N, for example. Access authorizations to the two types of data mentioned above should be assigned only very restrictively.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
The SE38 and SA38 transactions should not be allocated in the productive system and custom programmes should be included in own transaction codes.
They have far-reaching authorizations that can cause great damage to your system if misused.