Goal of an authorization concept
Authorization Analysis
The filter setting in transaction SM19 determines which events should be logged. In addition, you must activate the Security Audit Log via the profile parameters in the transaction RZ11 and make technical settings. For an overview of the profile parameters for the Security Audit Log, see the following table. The values specified in the table are a suggestion, but not the default values. The Security Audit Log is not fully configured until both the profile parameters and an active filter profile have been maintained. Note that the Security Audit Log has two configuration options: static and dynamic configuration. Static configuration stores filter settings persistent in the database; they are only applied on a system boot. The filter settings are used as the current configuration for each subsequent startup and should therefore always be maintained. The dynamic configuration allows you to change the settings in the running mode. The dynamic configuration is used when settings need to be adjusted temporarily. Here you can change all filter settings, but not the number of existing filters. Dynamic configuration will remain active until the next boot.
To help you better find your own tables in the future, check your development policy to see if the storage is adequately described. If the development guidelines are not complete, you should supplement them. For example content for a development policy, see the DSAG Web site under Guides. Now go to https://www.dsag.de/go/leitfäden and search for "Best Practice Guide Development".
Architecture of authorization concepts
There are extensive revision requirements for password rules. Learn how to define these requirements globally, which special characters are accepted by the SAP standard, and how to set the parameters for generated passwords. Do you not want to use SAP's standard password creation rules, but rather make your own password requirements for your users? Do you need to implement internal or external security requirements, such as audit requirements? You do not want to allow certain words as passwords, exclude certain special characters or change the formats of passwords generated by the SAP system? In the following we give you an overview of the possible characters, the existing profile parameters and the customising settings for passwords.
For a call of transactions from SAP ERP from the SCM system to work, the RFC connection to be called for each ERP transaction must be maintained. To do this, click the More node details button and select the Target system item.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
The report on how to change the source language can be found in SAP Note 854311.
If this is not the case, it is essential to create documentation that cannot be changed, in which it is proven why the assignment was necessary and that the user has not carried out any critical actions beyond this (filing and review of logging).