SAP Security Automation
Protect Passwords
Please note that depending on the results of the RSUSR003 report, a system log message of type E03 is generated. If a critical feature (stored in red) is detected, the message text"Programme RSUSR003 reports ›Security violations‹"is written into the system log. If no critical feature has been detected, the message"Programme RSUSR003 reports ›Security check passed‹"will be displayed instead. This message is sent because the password status information of the default users is highly security relevant and you should be able to track the accesses. You can grant the User and System Administration change permissions for the RSUSR003 report, or you can grant only one execution permission with the S_USER_ADM authorization object and the value CHKSTDPWD in the S_ADM_AREA field. This permission does not include user management change permissions and can therefore also be assigned to auditors.
As a result, you will get an advanced IMG structure, in our example FF Log settings, which you can access via the transaction SPRO. Finally, you could use the transaction COAT (see SAP Note 1089923) to assign additional attributes to your own tables and reports, for example. For example, this could be relevant for the tax audit and final reports or performance critical.
Displaying sensitive data
However, you can also use the proof of use in the authorization object maintenance to search for specific implementation sites. To do this, open the authorization object in the SU21 transaction. Open the proof of use via the button and a pop-up window appears for querying usage modes (for example, using the affected authorization object in programmes or classes). After making your selection in the Usage Proof, all of the affected implementations will be tabulated. Double-click to access the relevant code locations.
Excel-based tools typically do not know the release-specific suggestion values (they often work without the in-system suggestion value mechanism, because they do not use the PFCG transaction). This also means that it is not possible to upgrade rolls with standard SAP tools, such as the SU25 transaction. This also increases the dependency on the external tool, and the authorisation system is further removed from the SAP standard and the best practices recommended by SAP in role management.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
Which applications have similar or identical features? Use application search to find out.
The first step in the cleanup process is therefore to find out whether the current authorization concept is sufficient and a cleanup is the best way forward, or whether a rebuild of the authorization concept is necessary.