Critical authorizations
System Settings
The SAP authorization concept protects transactions and programs in SAP systems on the basis of authorization objects. Authorization objects enable complex checks of an authorization that are bound to several conditions. Authorizations represent characteristics of authorization objects depending on the employee's activity and responsibility. The authorizations are combined in an authorization profile that belongs to a role. The administrator assigns the appropriate role to the employee via the user master record so that the employee can perform his or her tasks in the system.
EARLYWATCH: The user EARLYWATCH only exists in the client 066, because it serves the remote maintenance by the SAP support. EARLYWATCH only has display rights for performance and monitoring functions. Safeguard measures: Lock down the user EARLYWATCH and only unlock it when requested by SAP Support. Change the password, assign it to the SUPER user group, and log it with the Security Audit Log.
What to do when the auditor comes - Part 1: Processes and documentation
Other dangers include admins simply copying user roles, not having control processes for permission assignments, or not following the processes over time. In this context, two things should be clarified: Which SAP user is allowed to access which data? How do the roles differ (especially if they are similar)?
To access business objects or execute SAP transactions, a user requires appropriate authorizations, since business objects or transactions are protected by authorization objects. The authorizations represent instances of the generic authorization objects and are defined according to the employee's activities and responsibilities. The authorizations are combined in an authorization profile that belongs to a role. User administrators then assign the appropriate roles to the employee via the user master record so that the employee can use the respective transactions for his or her tasks in the company.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
Encryption is intended to ensure the confidentiality of the data, i.e. that only the recipient of the e-mail should be able to read it.
Efficient and well thought-out authorization management plays a key role in minimizing risk and is a good way of protecting against unauthorized access, data misuse and industrial espionage.