SAP Basis Fiori Permissions for tile groups in PFCG - NW Admin

Direkt zum Seiteninhalt
Fiori Permissions for tile groups in PFCG
What has changed in the past ten years and what can we expect in the next ten? How will they affect the requirements profile of SAP Basis experts and how can they adapt to them?
This makes the technical user the dialogue user and a login in the SAP system is unrestricted. So Johannes logs in with the known password of the RFC user in the production system. Thanks to very extensive permissions, it now has access to all sorts of critical tables, transactions, and programmes in production. With the identity of the RFC user Johannes starts with the technical compromise of the production system... RFC Security: All invented - or everyday threat? Whether a simple trim, altered biometric properties or an encapsulated technical user in the SAP system: the basis of the compromise is the same. A person uses a different identity to gain access and permissions to protected areas. Moreover, the evil in all three stories could have been prevented by pro-activity. When was the last time you thought about the security of your RFC interfaces? Can you say with certainty that all your technical RFC users only have the permissions they actually need? And do you know who exactly knows the passwords of these users? Can you 100% rule out that not now in this moment an SAP user with a false identity infiltrates your production systems? Change now: It's about pro activity! But before you start now and start looking for the "identity converter" (which I really do not recommend!), I suggest that you take root of evil and proactively strengthen your RFC security. So if you want to find out more, I have the following 3 tips for you: 1) Our e-book about SAP RFC interfaces 2) Clean up our free webinar about RFC interfaces 3) Blog post about our approach to optimising RFC interfaces As always, I look forward to your feedback and comments directly below these lines!

We are transparent and open. It is not part of our philosophy to make ourselves irreplaceable with you. In our eyes, this is a matter of course for a long-term partnership.
SAP monitoring
Automatic error handling when a job is aborted is desirable and useful in most cases. The conscious processing and consideration of error situations in job chains - also at step level - can help to reduce manual effort. Error situations should be catchable: If they are non-critical elements, the following job can perhaps be started anyway. In the case of critical errors, a new attempt should be made or an alert issued so that an administrator can intervene manually. Simple batch jobs are usually not capable of this. The goal of an automated environment is not to have to react manually to every faulty job.

Some useful tips about SAP basis can be found on

A secure SAP system does not only include a good role concept. It is also necessary to check whether a user should (still) have a specific role. Regular verification of role assignment is called recertification. In this blog post, I'd like to introduce you to the need for recertifications and our own tool, EasyReCert. The need for recertification - scenarios: Example 1: The "apprentice problem" Imagine the following scenario: A new employee (e.g. apprenticeship or trainee) will go through various departments as part of his or her training and will work on various projects. Of course, an SAP User will be made available to your employee right at the beginning, which is equipped with appropriate roles. As each project and department passes, the employee repeatedly needs new permissions to meet the requirements. After the employee has successfully completed his or her induction and is now in a permanent position, he or she still has permissions that are not necessary to perform his or her duties. This violates the principle of "last privilede" and represents a potential security risk for your company. Example 2: The change of department The change of department is one scenario that probably occurs in every company. If a change of department does not automatically involve a complete reallocation of roles and the employee simply takes his old permissions with him, critical combinations of permissions can occur very quickly. For example, an employee who has permissions in accounts payable and accounts receivable violates the SoD ("Segregation of Duties") principle and poses a potential security risk to your company. Recertification as part of a revision: The two examples above show that a regular review of role allocation identifies potential security risks for your business and can be addressed.

"Shortcut for SAP Systems" simplifies tasks in the area of the SAP basis and complements missing functions of the standard.

However, it is not correct to refer to the SAP NetWeaver and SAP HANA platforms as SAP Basis.

So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.

A degree in computer science is usually required and is now almost obligatory.
Zurück zum Seiteninhalt