Security Automation for SAP Security Checks
System Security
Authorization object: Authorization objects are groups of authorization fields that control a specific activity. Authorization objects should always be defined in advance with the user group and then relate to a specific action within the system.
After defining the roles and generating the corresponding authorization profiles, the individual persons in the company are then assigned to the roles. In the process, the so-called user comparison takes place and the role-specific authorizations are stored in the user master record. The master record contains all information about an SAP user, including authorizations.
Get an overview of the organisations and their dependencies maintained in the system
Manual authorization profile - To minimize the editing effort when using manual authorization profiles, you usually do not enter individual authorizations in the user master record, but authorizations combined into authorization profiles. Changes to access rights take effect for all users whose user master record contains the profile the next time they log on to the system. Users who have already logged on are therefore not initially affected by changes.
Changes in customizing and various security-relevant changes, such as the maintenance of RFC interfaces, can be viewed via table change logs. This authorization should only be given to an emergency user.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
In the course of authorization planning, a company should determine which authorizations are to be considered critical, which roles may receive which critical authorizations or values for critical authorization fields, and so on.
A user who has an Object Privilege for a schema also has the same Object Privilege for all objects in that schema.