Analysis and reporting tool for SAP SuccessFactors ensures order and overview
Features of the SAP authorization concept
In the course of a comprehensive protection of your system from the inside as well as from the outside it is indispensable to have a closer look especially at the SAP standard users. They have far-reaching authorizations that can cause great damage to your system if misused. It should be noted that they are very important for the operational execution of your SAP system and must not be deleted. However, since the associated standard passwords can be quickly researched, they must be changed immediately after delivery of the SAP ERP. You can perform a detailed check of these users using report RSUSRS003. It is also recommended to set certain default users inactive until they are actually used.
Set a specific acronym or character to indicate whether your role has critical accesses so that separate assignment or approval rules can be observed for such roles. Define here what"critical"means for your project. Do you only want to identify permissions that are critical to the operation of the SAP system, or business-critical processes? Also define the consistency that has a critical role to play in the assignment to the user.
Check Profit Centre Permissions in FI
The authorization check for the authorization objects PS_RMPSORG and PS_RMPSOEH runs as follows following a user entry: The system determines the organizational unit to which the user is assigned. Starting from this organizational unit, the system creates a list of all organizational units that are superior to the organizational unit determined in the first step in the hierarchy. The system determines the set (M1) of all organizational objects that are assigned to these organizational units. The system determines the organizational unit to which the object to be processed is assigned (corresponds to the lead organizational unit in the attributes of the object to be processed). Starting from this lead organizational unit, the system creates a list of all organizational units that are superior to the determined organizational unit within the hierarchy. The system determines the set (M2) of all organizational objects assigned to these organizational units. The system forms the intersection (from M1 and M2) of the matching organizational objects of the user and the object to be processed. The system determines the organizational levels that match for the user and the object being processed. Once a matching organizational level is found, the system performs the authorization check for the other fields of the authorization object (e.g., type of object or activity); if the system cannot determine a common organizational level, processing is rejected. If the user is allowed to perform the requested activity, processing is allowed; otherwise, the system rejects processing.
DDIC: DDIC is the only user able to log in or make changes to the ABAP Dictionary during installations and release changes. It is also used in the client 000, e.g. for certain jobs or Unicode conversions. DDIC exists in all clients except 066. Safeguard measures: In all systems (except for client 000 due to upgrade features), set DDIC to the System user type. If necessary, you can switch it back to a dialogue user using the Emergency User. Change the password, assign the user to the SUPER user group, and log it with the Security Audit Log.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
External commands test for the object S_LOG_COM.
The permissions on database objects show you the details of the user's permissions to access the object.