SAP Basis PFCGMASSVAL Mass maintenance of authorization values - SAP Basis

Direkt zum Seiteninhalt
PFCGMASSVAL Mass maintenance of authorization values
SAP Basis Services
SAP Basis experts ensure optimal integration of the SAP system into a company's individual IT landscape. Depending on the agreement, the team of experts takes care of the administration as well as the hosting and operation of the SAP system.

The basic SAP Basis operation includes the operational readiness of the SAP system, management of system changeability, configuration and administration of system profiles, analysis of system failures, operation and monitoring of technical interfaces, scheduling and monitoring of SAP standard jobs, and much more. The optional services as an extension include activities whose implementation and frequency depends on the existing system environment and which can be optionally booked (client copies, implementation of client transports and homogeneous/heterogeneous system copies, etc.). These include performing release upgrades, installing enhancement packages, adapting new printer types, device drivers or character sets, and much more.
In practice, it is quite possible that the target specifications defined in the security concept do not match the current actual status. Therefore, especially with regard to SAP security, it must always be checked whether the necessary SAP basic settings also correspond to the minimum level. Although a manual check is possible, it is very time-consuming because the necessary regularizations have to be read, interpreted and technically implemented. The Security Architect - part of the Xiting Authorizations Management Suite (XAMS) software solution developed by Xiting - offers you the possibility to precisely examine the current status of the SAP Basis settings with the help of the integrated check mode, whereby it is also possible to check several systems via RFC, starting from a central system. The scope of the check of system settings and system security includes not only the SAP Basis settings presented here, but also other SAP Basis settings. The scope of the check mode can be extended by self-defined check IDs.

It is possible to specify a trace level for each rule in the ACL file to monitor each communication channel individually. It can be used with SNC without any further configuration. The use of the file is controlled by the gw/acl_file parameter by simply setting it to the appropriate file name. Use of external programmes If an external programme wants to communicate with your SAP system, it must first register at the gateway. The programmes which this is approved are controlled by the reginfo ACL file. This defines rules that allow or prohibit certain programmes. The syntax of the file allows you to define not only the name of the programme, but also the host on which the programme runs and hosts that can use and exit the programme. The gw/reg_info parameter must be set to use this file. In addition, there is the ACL file secinfo, which allows to configure which users can start an external programme. This defines rules that allow certain usernames from the SAP system to use certain external programmes. In addition, you can also define the hosts on which these programmes will run. For example, it is possible to allow a user to run the programme "BSP" on the host "XYZ", but not on the host "ABC". This file is controlled by the gw/sec_info parameter. Using the gateway as a proxy Since the gateway of your SAP system can also serve as a proxy server, the prxyinfo ACLDatei should also be activated via the gw/prxy_info parameter. Suppose you have 3 SAP systems in your network: SRC, TRG and PRX. If SRC cannot communicate directly with TRG, but both with PRX it would be possible to use the gateway of the PRX system as a proxy server, i.e. to communicate via it. So, in order to prevent this from happening to everyone, this property should be urgently restricted. As with the other ACL files, rules are defined which hosts can communicate with which hosts via the gateway. The syntax of the different ACL files may vary depending on the release level. It is therefore advisable to read them in the appropriate SAP documentation before activating the ACL files. You can also find more support for using ACL files in the SAP Community Wiki.

Tools such as "Shortcut for SAP Systems" are extremely useful in basic administration.

In conclusion, the SUIM is only partially suitable for identifying certain transactions with user assignment.

SAP Patch Manager (SPAM) (BC-UPG-OCS) SAP AG SAP Patch Manager (SPAM) (BC-UPG-OCS).
Zurück zum Seiteninhalt