Deleting table change logs
Deletion of change documents
Due to the complexity of an SAP® authorization concept, it is necessary that all essential aspects are set down in a written documented authorization concept. This should describe the essential processes, but also how to handle the assignment of authorizations via roles. In particular, the nomenclature of specially created roles must be clearly defined. It should therefore be checked whether all changes since the last audit have been documented in the written authorization concept. After all, this document serves the auditor as a template for the so-called target/actual comparison. This means that the auditor compares the document with the actual status in the SAP® system for the main topics relevant to the audit. Any discrepancy can lead to a finding that must be avoided.
The evaluation performance of the Security Audit Log was optimised from SAP NetWeaver 7.31. For this extension, you need a kernel patch. For the fixes and an overview of the required support packages, see SAP Note 1810913.
Use the authorisation route to identify proposed values for customer developments
However, the preferred and more comprehensive variant of a programmatic permission check is the use of the AUTHORITY_CHECK_TCODE function block. This function block not only responds to a missing permission when the programme starts, but can also specify that only the NO-CHECK check marks maintained in the transaction SE97 allow external calling from another transaction context. This is determined by the function block and not by the developer.
The RESPAREA field has a maintenance dialogue that allows you to enter areas of responsibility. The care dialogue is called as a building block and provides different tabs for input depending on the authorization object. Now, if you declare the RESPAREA field to be the organisation level, you must first set the display of the tabs for input in customising. To do this, you must add an entry to the KBEROBJ table that is independent of the client by using the SE16 transaction. In this entry, leave the first OBJECT field blank. The CURRENTOBJ field must be maintained because it defines the tab that will be displayed when the maintenance is called, i.e. the Default tab. If this field is blank, no startup image can be found and errors occur. The following fields determine the contents of the various tabs and should therefore also be maintained so that you can use RESPAREA as an organisational level. These are the OBJECT1 to OBJECT7 fields for the first to the seventh tab. In these seven fields, you define what values you can enter on the tabs.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
Because previously all password rules for the service user were invalid, and now the rules for the contents of the passwords also apply to the service user (see Tip 5, "Defining User Security Policy" for details on security policy).
You can select these roles and then use the Reduce in Roles button to adjust them to the new organisation level.