ACCESS CONTROL | AUTHORIZATION MANAGEMENT FOR SAP®
Coordinate authorisation management in customer-owned programmes
When considering the security of SAP transport landscapes, it is not only the production system that is relevant for auditing. The other systems, including the development systems, must also be included in the risk considerations. The SAP_ALL profile is still frequently used there instead of concrete roles. This article identifies the main risk areas.
The Security Audit Log now logs the table or view name and the scheduled activity of external table access via RFC connections; a new message type has been defined. You can find this fix and an overview of the required support packages in SAP Note 1539105.
Roles and permissions in SAP SuccessFactors often grow organically and become confusing
Configuration validation uses the CCDB's configuration data to reconcile settings. To do this, you define your customer-specific security settings technically in a target system. This contains the specifications for the configuration of SAP systems. You can also define a target system based on the settings of an existing system and adapt it to your requirements. Then you compare the settings of your SAP systems with this target system on a daily basis and get an overview of the deviations. Since there may of course be different security requirements for the systems in your landscape (e.g. development and production systems), you can define different target systems with the appropriate settings. You then start the comparison with a target system for the relevant systems. Alternatively, you can compare to an actual system; For example, this is a useful function in the context of a roll-out.
Authorization object: Authorization objects are groups of authorization fields that control a specific activity. Authorization objects should always be defined in advance with the user group and then relate to a specific action within the system.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
Therefore, avoid that your colleagues do not assign users to a user group, and thus ensure that the user master data maintenance permissions check is correct.
In any case, you should ensure that these inactive users are either blocked or invalidated.