Maintaining Authorization Objects (Transaction SU21)
Set password parameters and valid password characters
Upgrades also require that the eligibility roles be revised. In this context, you can use the SAP_NEW profile for support. During an upgrade, changes and enhancements to permissions checks are included in SAP NetWeaver AS ABAP. In order for users to continue to perform their previous actions in the SAP system as usual, you as the permission administrator must revise or add to the authorisation expressions within the framework of the established permission concept. Basically, you use the transaction SU25 for this purpose. For the transition period, you can use the SAP_NEW permission until the permission concept is up to date on the new release. Since the handling of SAP_NEW is not always transparent and the question arises, for example, when the profile should be assigned and when not, we explain the background here.
In practice, the main problem is the definition of content: The BMF letter remains very vague here with the wording "tax relevant data". In addition, there is the challenge of limiting access to the audited financial years.
Security Automation for HR Authorizations
Reasons for incorrect organisational levels are values that have been manually maintained in the authorization object itself, instead of using the Origen button, as well as incorrect transports or incorrectly created or deleted organisational levels. Since correct inheritance can no longer occur in such cases, you need a way to reset incorrect values of the organisation levels in the PFCG roles.
In order to sustainably guarantee the security of the SAP system internally and externally, regular auditing is indispensable. Existing rule violations must be detected and corrected. In addition, it is important to document the regular operation of SAP in order to have evidence of this for external and internal requirements. Automated processes can save a lot of time and money.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
The four important concepts of SAP security first require a certain amount of effort.
You should always enable table logging for all clients.