Compensating measures for segregation of duties conflicts
Evaluate Permission Traces across Application Servers
HR authorizations are a very critical issue in many companies. On the one hand, HR administrators should be able to perform their tasks - on the other hand, the protection of employees' personal data must be ensured. Any error in the authorization system falls within the remit of a company's data protection officer.
A universally applicable template for a reliable and functioning authorization concept does not exist due to the individuality and the different processes within each company. Therefore, the structures of the company and the relevant processes must be analyzed in detail during the creation process. Some core elements of the authorization concept to be created can be defined in advance. These include the overarching goal, the legal framework, a naming convention, clarification of responsibilities and process flows for both user and authorization management, and the addition of special authorizations. Only with clearly defined responsibilities can the effectiveness of a concept be guaranteed.
Use the authorisation route to identify proposed values for customer developments
Only current profile data is always recorded, so that obsolete profiles and permissions in the target system cannot be deleted by transport. This data remains associated with the users and remains effective until it clears a user synchronisation with the Cleanup option (transaction PFUD).
With the introduction of security policy, it is now possible to define your own security policy for System or Service users. This way you can ensure that backward-compatible passwords are still used for these users. This eliminates the reason that password rules were not valid for System/Service type users; Therefore, the rules for the content of passwords now apply to users of these types. Password change rules are still not valid for System or Service type users. If you are using security policy in your system, you can use the RSUSR_SECPOL_USAGE report to get an overview of how security policy is assigned to users. This report can be found in the User Information System (transaction SUIM). In addition, the user information system reports have added selected security policies to the user selection. This change was provided through a support package; For details, see SAP Note 1611173.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
For a call of transactions from SAP ERP from the SCM system to work, the RFC connection to be called for each ERP transaction must be maintained.
This ensures consistency between the role's permission data and its profile data.