Activity level
Analyze user buffer SU56
If you use configuration validation, we still recommend that you use the AGS Security Services, such as the EarlyWatch Alerts and SAP Security Optimisation Services, which we describe in Tip 93, "AGS Security Services." SAP keeps the specifications and recommendations in the AGS Security Services up to date and adapts them to new attack methods and security specifications. If you have identified new security issues within a security service, you can set your target systems accordingly and monitor these aspects in the future.
Far more damage, however, can be caused by too extensive authorizations. For example, an employee may be authorized to access data for which he or she is not authorized. In the worst case, criminal activity can cause economic damage. To prevent this, an authorization concept must be in place that describes how authorizations are to be created and assigned to users.
Assign SAP_NEW to Test
Here, the authorizations are either derived from the role menu (through the authorization default values (transaction SU24) or can also be edited manually in expert mode. The individual authorization objects are divided into object classes. For example, the object class AAAB (cross-application authorization objects) contains the authorization object S_TCODE (transaction code check at transaction start) with the authorization field value TCD (transaction code).
Add SAP Note 1433352 to your system. This note ships with the RSAUDIT_SYSTEM_STATUS report. This report documents the current status of the Client and System Modification Settings in an overview, which you can also print out for evaluation if required. The advantage of this report is that pure display permissions are necessary to execute it.
Authorizations can also be assigned via "Shortcut for SAP systems".
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
To do this, you first create the PFCG role for the relevant transactions in the target system.
Password change rules are still not valid for System or Service type users.