Translating texts into permission roles
Unclear responsibilities, especially between business and IT
You should then enable the latest version of the hash algorithms by setting the login/password_downwards_compatibility profile parameter to 0. This is required because SAP systems maintain backward compatibility by default. This means that, depending on your base release, either the new hash algorithms will not be used when storing passwords, or additional outdated hash values of passwords will be stored. You should then check to see if there are any old hash values for passwords in your system and delete them if necessary. Use the report CLEANUP_PASSWORD_HASH_VALUES.
Define critical permission combinations that cannot be assigned in the monitored systems. A whitelist allows you to specify which users (such as emergency users) you want to exclude from the evaluation. Identify vulnerabilities in the configuration of your RFC interfaces, i.e. RFC connections, where users with extensive permissions (e.g., the SAP_ALL profile) are registered. These RFC connections can be used for the so-called RFC-Hopping, where access to an SAP system is made via such an extensively authorised RFC connection.
General authorizations
How do I make an authorization trace on a user (STAUTHTRACE)? With the authorization trace you can record which authorization objects are used by a user. This helps, for example, in the creation of suitable roles: - Call the transaction STAUTHTRACE - Specify the desired user and start the trace - Let the user call his transaction - Stop the trace (Important, do not forget!) - Evaluate the results.
In order to provide user authorisation support, you often need their information. However, there is also the possibility to view missing permissions centrally for all users. If a user has a permission issue, a ticket is usually displayed at support. However, it is difficult for a support worker to understand permissions errors because they have different permissions and are often missing detailed information about the application where the permission error occurred. In practice, therefore, support staff often help themselves by asking the user to send a screenshot of the transaction SU53. Because this transaction shows the last failed permission check. In many cases, however, the information displayed there is not helpful to the permission administrator. You may have seen that a screenshot from the SU53 transaction shows a missing permission for typical base authorization objects, such as S_ADMI_FCD, S_CTS_ADMI, or S_TRANSLAT, but you know that your check has nothing to do with the actual permissions problem in the application. So you need the opportunity to see for yourself.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
Clearly defined responsibilities ensure the effectiveness of a concept.
To do this, create your own table permission group for the SSF_PSE_D table and restrict programmes from accessing the /sec directory in the file system.