Lock Inactive Users
Transactional and Native or Analytical Tiles in the FIORI Environment
Logs: Protocols exist for all audits performed. This allows you to review the history of the audit results at a later stage or to view only the results of the last audit. To do this, use the protocol evaluation of the AIS in the transaction SAIS_LOG or click the button in the transaction SAIS.
Programme the necessary checks (for example, for specific data constellations or permissions) in this new feature block. If the tests are not successful, do not show the location to the user, just do not return the export structure. The later display of the data is reduced exactly by this record.
Preventing sprawl with the workload monitor
Protect your system from unauthorised calls to RFC function blocks from the S_RFC authorization object by obtaining the necessary permissions using the statistical usage data. In many organisations, the primary focus in the permission environment is on protecting dialogue access. For each required transaction, you decide in detail which groups of people are allowed access. It is often overlooked that the critical S_RFC privilege object requires an analogue permission assignment. If the RFC (Remote Function Call) external access permissions are unneatly defined and assigned to the users, the S_TCODE authorization object quickly bypasses the primary protection for bootable applications.
The passwords of the users are stored in the SAP system as hash values. The quality of the hash values and thus their safety, however, depends on the hash algorithms used. The hash algorithms previously used in SAP systems are no longer considered safe; They can be cracked in a short time using simple technical means. You should therefore protect the passwords in your system in various ways. First, you should severely limit access to the tables where the hash values of the passwords are stored. This applies to the USR02 and USH02 tables and in more recent releases the USRPWDHISTORY table. The best way to assign a separate table permission group to these tables is to do so, as described in Tip 55, "Maintain table permission groups". In addition, you should also control the accesses using the S_TABU_NAM authorization object.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
In addition, the SAIS transaction log entries for this audit activity are displayed in the upper right pane of the display.
These permissions should be considered critical, and you should assign them to a small circle.