SAP Security Concepts
Know why which user has which SAP authorization
Authorization tools in the SAP GRC Suite ensure that every company can design a highly automated compliance management system that fits exactly. The majority of German companies with an SAP system do not yet use authorization tools. However, the use of SAP authorization tools is a great advantage for many companies. The extent to which the use of authorization tools makes sense depends on the size of a company.
In general, you should note that not all relevant change documents of a system are present in the user and permission management. As a rule, authorisation administration takes place in the development system; Therefore, the relevant proof of amendment of the authorisation management is produced in the development systems. By contrast, you will find the relevant user administration change documents in the production systems; Therefore, you should note that when importing roles and profiles in the production systems, no change documents are written. Only transport logs are generated that indicate that changes have been made to the objects. For this reason, the supporting documents of the development systems' authorisation management are relevant for revision and should be secured accordingly.
What are the advantages of SAP authorizations?
The view of the executable transactions may differ from the transactions for which the user has permissions, because the RSUSR010 report displays only the transactions that are actually executable. Not only does the transaction need to be started by the S_TCODE authorization object, but the following conditions must also be met: For certain transactions, there are additional permission checks that are performed before the transaction starts. These eligibility objects are then additionally entered in the transaction SE93 (Table TSTCA). For example, queries against the P_TCODE, Q_TCODE, or S_TABU_DIS authorization objects. The transaction code must be valid (i.e. entered in the TSTC table) and must not be locked by the system administrator (in the SM01 transaction).
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
The Security Audit Log now logs the table or view name and the scheduled activity of external table access via RFC connections; a new message type has been defined. You can find this fix and an overview of the required support packages in SAP Note 1539105.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
We described the configuration of the retention time of the statistical usage data in Tip 26, "Use usage data for role definition".
Therefore, the BAdI is also called during maintenance by the BAPI BAPI_USER_CHANGE.