Optimization of SAP licenses by analyzing the activities of your SAP users
System Users
When scheduling a job, another user can be stored as the executing user. This means that the individual processing steps of the job are technically carried out by the stored user with his or her authorizations. This means that activities could be triggered that could not be executed with the user's own authorizations.
In the course of a comprehensive protection of your system from the inside as well as from the outside it is indispensable to have a closer look especially at the SAP standard users. They have far-reaching authorizations that can cause great damage to your system if misused. It should be noted that they are very important for the operational execution of your SAP system and must not be deleted. However, since the associated standard passwords can be quickly researched, they must be changed immediately after delivery of the SAP ERP. You can perform a detailed check of these users using report RSUSRS003. It is also recommended to set certain default users inactive until they are actually used.
Add External Services from SAP CRM to the User Menu
Various activities, such as changes to content or the assignment of roles, are made traceable via change documents. This authorization should only be assigned to an emergency user.
When you create users in the SU01 transaction, do you want to automatically pre-occupy certain fields from a data source? Use a new BAdI for which we present an implementation example. If you create a user in the SU01 transaction in an SAP system, there is almost always data about that user in other systems. A classic example is user data in the Active Directory or the personnel master data in SAP ERP HCM, which are already maintained as part of the employee recruitment process. If user data is present in multiple systems, then the first choice is to automatically create a user through an identity management system, which is resolved by an HR trigger in SAP Identity Management (ID Management). ID Management detects changes, such as personnel master data, SAP ERP HCM, or business partners in SAP CRM, and either applies the appropriate users in your systems or makes changes and deactivations. But what if you don't have an identity management system in place? Do you need to type all of this data? No - you can pre-document them automatically. You can use a Business Add-in (BAdI), which allows you to pre-define certain fields when you create a user in the SU01 transaction.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
You can also monitor security alerts from the Security Audit Log via the Alert Monitoring of your Computing Centre Management System (CCMS).
Once a matching organizational level is found, the system performs the authorization check for the other fields of the authorization object (e.g., type of object or activity); if the system cannot determine a common organizational level, processing is rejected.