Configure Security Audit Log
Hash values of user passwords
Developer and customizing authorizations represent a great potential danger in productive SAP systems. Here, authorizations must be assigned very restrictively, e.g. only to emergency users. The same applies to RFC connections from a development system to productive systems. Such connections can only be used to a very limited extent.
In many distributed organisations, the Profit Centre is used to map out the distributed units. However, this was only possible for FI with additional programming. In integrated data flows in SAP ERP, the sending application usually does not check the authorization objects of the receiving application. Financial Accounting (FI) in SAP does not check permissions for cost centres and profit centres. However, depending on the case of use, this may be necessary, e.g. if distributed entities are to operate as small enterprises within the enterprise and only collect and view data for this particular unit at a time. With the introduction of the new general ledger, SAP has technically merged the financial accounting and the profit centre account, so that the question of the inclusion of profit centre allowances in FIs becomes even more important.
Note the maintenance status of permissions in roles and their impact
You can use your own authorization objects to develop permission checks to authorise your custom applications or extend default permissions. So far, the maintenance of the authorization objects has been very unmanageable. Authorization objects can be displayed and recreated in the transaction SU21. Creating authorization objects over this transaction has not been very user-friendly. If the input was not done correctly, the dialogue was sometimes not transparent and confusing for the user. The same was true for storing a authorization object. Several pop-up windows indicate further care activities. Another problem is that the proof of use of the authorization object is limited to finding implementations of the authorization object. However, authorization objects are also used in other places, such as suggestion value maintenance and permission maintenance. Another problem is the use of namespaces. For SAPartner who want to maintain their permission checks in their namespaces, the classic name rooms, starting with J, are used up.
So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.
You should not grant large permissions for the SCC4 and SE06 transactions to internal and external auditors, just so that they can see the system modifiability. We present the report, which only requires the permissions a auditor usually has to view the system modifiability. There are several people who want to view the system modifiability settings in your system for specific reasons. These can be internal auditors, auditors or developers. The display of these settings, e.g. via the SCC4 or SE06 transactions, is not in itself critical; However, this has previously required permissions that are not usually assigned to the group of people just described. Since SAP NetWeaver 7.0, there is also a report that shows the system modifiability settings. This report requires only viewing permissions that can be assigned to the above-described group without any concerns. We present the application of this report and the required permissions here.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
Then assign your new customer-owned programme with the GCX2 transaction to the GBLR user exit control workspace.
After you have completed the development of the User-Exit, you still need to transport your validation.