Maintain permission values using trace evaluations
Archive change document management for user and permission management
Define critical permission combinations that cannot be assigned in the monitored systems. A whitelist allows you to specify which users (such as emergency users) you want to exclude from the evaluation. Identify vulnerabilities in the configuration of your RFC interfaces, i.e. RFC connections, where users with extensive permissions (e.g., the SAP_ALL profile) are registered. These RFC connections can be used for the so-called RFC-Hopping, where access to an SAP system is made via such an extensively authorised RFC connection.
To access business objects or execute SAP transactions, a user requires appropriate authorizations, since business objects or transactions are protected by authorization objects. The authorizations represent instances of the generic authorization objects and are defined according to the employee's activities and responsibilities. The authorizations are combined in an authorization profile that belongs to a role. User administrators then assign the appropriate roles to the employee via the user master record so that the employee can use the respective transactions for his or her tasks in the company.
Evaluate licence data through the Central User Management
You can view the change documents of the permission proposal maintenance using the report SU2X_SHOW_HISTORY (available with the support package named in the SAPHinweis 1448611). If the note is not implemented, use the USOBT_CD and USOBX_CD tables. We recommend that you run the SU24_AUTO_REPAIR correction report regularly. This report cleans up inconsistencies and adds missing modification flags in the transaction SU24 data that may turn up as errors when the transaction SU25 is executed. Read SAP Note 1539556 for this. Modification flags are added to the records in transaction SU24, if they have been modified by you. You can see these flags in the USOBT_C and USOBX_C tables.
Applications use the ABAP statement AUTHORITY-CHECK in the source code of the program to check whether the user has the appropriate authorizations and whether these authorizations are defined appropriately, that is, whether the user administrator has assigned the values required by the programmer for the fields. In this way, you can also protect transactions that are indirectly accessed by other programs. AUTHORITY-CHECK searches the profiles specified in the user master record for authorizations for the authorization object specified in the AUTHORITY-CHECK statement. If one of the determined authorizations matches one of the specified values, the check was successful.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
For details on the SAP user, see Tip 91, "Handling the default users and their initial passwords".
Even the best authorization tools cannot compensate for structural and strategic imbalances.