SAP Authorizations Concept for in-house developments - NW Admin

Direkt zum Seiteninhalt
Concept for in-house developments
Data ownership concept
Do you want to automatically monitor the security settings of your systems and receive convenient evaluations? We will explain how to use configuration validation. If you have a large SAP system landscape in use, the control of the many different security settings can be complex. You define your security requirements for the entire SAP system landscape; they concern, for example, the settings of the profile parameters, the handling of safety instructions or critical permissions that may only be assigned to emergency users. You can define these requirements in the SAP Solution Manager Configuration Validation application and evaluate compliance with these requirements in all systems.

The S_RFCACL authorization object is removed from the SAP_ALL profile by inserting SAP Note 1416085. This notice is included in all newer support packages for the base component; This affects all systems down to base release 4.6C. The reason for this change is that the S_RFCACL authorization object, and especially the expression "total permission" (*), is classified as particularly critical for its fields RFC_SYSID, RFC_CLIENT and RFC_USER. These fields define from which systems and clients or for which user IDs applications should be allowed on the target system. Thus, the overall authorisation for these fields allows the login from any system and client or for any user and thus creates significant security risks.
Use system recommendations to introduce security
Another important factor that should be considered in an authorization concept is to use a uniform naming convention because, on the one hand, many things cannot be changed after the initial naming and, on the other hand, this ensures searchability in the SAP system. In addition, the preset authorization roles of the SAP system should never be overwritten or deleted, but only copies of them should be created, which can then be adapted as desired.

To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.


Each roll can be written to any number of transport orders. Information about existing records of the same role by other administrators does not take place.

With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.

In order to get an overview of the organisations and their structure, we recommend that you call the Org-Copier (in read mode!) for the various organisational fields via the transactions EC01 to EC15.

In general, we recommend you to use strong encryption mechanisms and to switch most users to an SSO login.
NW BASIS
Zurück zum Seiteninhalt