SAP license optimization
Analyzing the quality of the authorization concept - Part 1
The most important security services regarding permissions are the EarlyWatch Alert (EWA) and the SAP Security Optimisation Service (SOS). You compare the settings in your SAP systems with the recommendations of SAP. Both services are delivered as partially automated remote services; You can also use the SOS as a fully automated self-service. The EWA and SOS shall carry out eligibility tests, the results of which shall always be as follows: The heading indicates the check in question. A short text describes the importance of the audited entitlement and the risk of unnecessary award. A list indicates the number of users with the validated permission in the different clients of the analysed SAP system. The SOS also allows you to list the users. In the SOS, a recommendation is made for each check to minimise the identified risk. A final formal description represents the checked permissions. However, not only the explicitly mentioned transactions are evaluated, but also equivalent parameter or variant transactions.
When considering the security of SAP transport landscapes, it is not only the production system that is relevant for auditing. The other systems, including the development systems, must also be included in the risk considerations. The SAP_ALL profile is still frequently used there instead of concrete roles. This article identifies the main risk areas.
Use SAP_NEW correctly
Typically, users access a table's data through applications rather than directly. If so, you should take precautions and restrict access to sensitive data. End users typically do not access table-level data directly, but the data is displayed in business applications and their display is restricted in context by means of entitlement checks. However, there are cases where generic access to tables via the SE16, SE16N, SM30, SM31 or SM34 transaction is required for administrators, key users, verifiers, etc. For example, a verifier should have read access to all customising tables. However, you do not want to display security-related tables. Key users should be able to access certain reports regularly, but only read information relevant to their work. There are several ways to restrict access to tables by using table tools. This means that users can only access tables or table contents that they want to see. However, we would like to point out that the granting of permissions for these tools in the production environment is considered to be critical to security, since it is very easy to allow access to large amounts of sensitive data in the case of erroneous or excessive permissions. Therefore, only apply these permissions in a restricted way.
The freeware Scribble Papers is a "note box" in which all kinds of data can be stored. It takes in typed texts as well as graphics and entire documents. The data is then organised in folders and pages.
Call the SIMGH transaction and create your own IMG structure, such as company name Customising. You will then add node outline to this tree. Often it makes sense to break down into SAP components such as finance, controlling and sales. Now add the tree as your favourite to make it easier to find it quickly. Then call the transaction S_IMG_EXTENSION and look for the IMG structure SAP Customising Introduction Guide. This is the default IMG structure in which you must include your structure. To expand, you must specify an extension ID. If there is no extension, you must create an extension ID. Position the cursor under My Favourites on the entry SAP Customising Intro Guide, and then click the Expand Structure button.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
This usually means "making the best of it" and making ad hoc adjustments - in other words, not fixing the root cause and cleaning up from scratch.
We recommend that you run the SU24_AUTO_REPAIR correction report regularly.