Sustainably protect your data treasures with the right authorization management
View system modifiability settings
The report RSUSR008_009_NEW (List of users with critical permissions) is provided starting with SAP Web Application Server 6.20 with the following support packages: Release 6.20, starting with SAPKB62039 Release 6.40, starting with SAPKB64003 You can continue using the old reports RSUSR008 and RSUSR009 until release 6.40. The RSUSR008_009_NEW report is delivered with the old SAI proposals for critical credentials already used in the RSUSR009 report.
From release 10.1, SAP Access Control supports the creation of users and the assignment of roles and privileges in HANA databases. If you use the concept of business roles in SAP Access Control, you can achieve an automatic installation of the users in SAP NetWeaver AS ABAP and HANA database and the assignment of the ABAP and HANA technical roles (or privileges) when assigning a business role.
Concept for in-house developments
If a user is assigned SAP_ALL, he has all permissions in an ABAP system. Therefore, particular care should be taken in the dedicated award of this entitlement. SAP_ALL can be generated automatically when you transport authorization objects. The SAP_ALL_GENERATION parameter must be maintained in the PRGN_CUST table.
Then run step 2c. Here too, there are new features. You will be shown a selection of the roles to match again. However, you have the possibility to perform a simulation of the mixing process via the button Mix. This allows you to see which permissions would be changed in the roles without actually doing so. For more information, see Tip 44, "Compare Role Upgrade Permissions".
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
Law-critical authorizations in particular, such as deleting all change documents, debugging ABAP programs with Replace, and deleting version histories, must never be assigned in a production system, as these authorizations can be used to violate the erasure ban, among other things.
For communication between SAP systems, you should use HTTPS if you think the data transfer could be intercepted.