Implementing Permissions Concept Requirements
WHY ACCESS CONTROL
Before you start and define critical permissions, you should identify your core business processes or functions and then map the conflicting processes in meaningful combinations as so-called risk. The RSUSR008_009_NEW report cannot replace a GRC system (GRC = Governance, Risk, and Compliance) with the SAP Access Control component. Rather, this report should be understood and used as an indicator of the current system state. The report identifies the users that have the critical permission combinations defined in the USKRIA table. The identifier, which can also be called a risk ID, describes a combination of authorization objects with field names and field values. These are linked to one of the two operatives AND or OR available.
The concept for in-house developments is obligatory for every company that writes its own software. It specifies requirements, for example, for the structure, naming and documentation of program components, and in particular for dealing with safety-critical aspects. The wording should not be too general, but should explicitly address the special features of programming in SAP.
Default permissions already included
SAP authorizations control the access options of users in an SAP system, for example to personal data. Managing this access securely is essential for every company. This makes authorization concepts, authorization tools and automated protection of the SAP system all the more important.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
Here, the authorizations are either derived from the role menu (through the authorization default values (transaction SU24) or can also be edited manually in expert mode. The individual authorization objects are divided into object classes. For example, the object class AAAB (cross-application authorization objects) contains the authorization object S_TCODE (transaction code check at transaction start) with the authorization field value TCD (transaction code).
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
The passwords of the users are stored in the SAP system as hash values.
Click here on the Evaluate Trace button and select System Trace (ST01) > Local.