Authorization tools - advantages and limitations
Excursus Special feature for authorizations for FIORI Apps under S/4HANA
The SAP authorization concept also maps the organization of authorizations within the SAP system. The organizational structure defines responsibilities and the authorization hierarchy, while the process organization specifies process steps and the activities and authorization objects required for them in SAP. The authorization concept must therefore be flexible enough to allow future changes in the organization to be implemented quickly and in compliance with the rules.
Evaluate the criticality of the security advisories for your company and also take into account the risks that may arise from the introduction of the SAP notes. This may include, for example, risks or expenses due to change and the corresponding tests in a productively used business process. Depending on this evaluation, you decide which safety instructions you want to insert directly and which hints should be implemented in the next maintenance cycle.
Security within the development system
Depending on your SAP NetWeaver release status, you must include SAP Note 1731549 or a support package. After that, it is no longer possible to create new users whose names consist only of variants of spaces or non-visible special characters. Changes to existing users are still possible. The customising switch BNAME_RESTRICT, also included in SAP Note 1731549, allows you to control whether you want to allow alternate spaces at certain locations of the user ID.
Your system has inactive users? This is not only a security risk, as they often use an initial password, but also creates unnecessary licence costs. There will always be inactive users in your SAP system. There may be several reasons for this. For example, they may be management level users that are virtually unused because they are not using the ERP system. It could also be that employees no longer use their SAP user due to a change of position or that outsiders do not work on the SAP system for a while. In any case, you should ensure that these inactive users are either blocked or invalidated. Up to now, you had to select all inactive users with the help of the RSUSR200 report and then manually transfer them into the SU10 transaction to perform the blocking. You can now do this automatically.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
Unsuccessful permission checks are now written to a ring buffer of the application server's Shared Memories.
Run step 2a (automatic synchronisation with SU22 data).