SAP Authorizations Risk: historically grown authorizations - SAP Basis

Direkt zum Seiteninhalt
Risk: historically grown authorizations
Our services in the area of SAP authorizations
With the introduction of security policy, it is now possible to define your own security policy for System or Service users. This way you can ensure that backward-compatible passwords are still used for these users. This eliminates the reason that password rules were not valid for System/Service type users; Therefore, the rules for the content of passwords now apply to users of these types. Password change rules are still not valid for System or Service type users. If you are using security policy in your system, you can use the RSUSR_SECPOL_USAGE report to get an overview of how security policy is assigned to users. This report can be found in the User Information System (transaction SUIM). In addition, the user information system reports have added selected security policies to the user selection. This change was provided through a support package; For details, see SAP Note 1611173.

In addition to SAP book recommendations on SAP authorizations, I can also recommend the books from Espresso Tutorials such as "SAP Authorizations for Users and Beginners" by Andreas Prieß * or also the video tutorial "SAP Authorizations Basics - Techniques and Best Practices for More Security in SAP" by Tobias Harmes. Both are, among other media, also included in the Espresso Tutorials Flatrate, which I have also presented in more detail under SAP Know How.
SAP license optimization
The P_ABAP (HR-Reporting) authorization object is not required to execute reports, but is intended to improve performance during execution. In addition, it can be used when reports require permissions for info types that the user should not receive in other cases, which is more common. For example, the right to display information type 0008 (basic salary) is also required for the execution of the travel statement reports. The Invoice Payer Programmes also require P_ABAP permissions to process personal data.

To do this, in the SU24 transaction, open the application you want to customise. To maintain the missing suggestion values, you can start the trace here by clicking on the button Trace. You can of course also use the system trace for permissions via the ST01 or STAUTHRACE transactions. A new window will open. Click here on the Evaluate Trace button and select System Trace (ST01) > Local. In the window that opens you now have the opportunity to restrict the trace to a specific user or to start it directly. To do this, enter a user who will call the application you want to record, and then click Turn on Trace. Now, in a separate mode, you can call and run the application you want to customise. Once you have completed the activities that you need permission checks, i.e. you have finished the trace, you will return to your application in the transaction SU24 and stop the trace by switching off the button trace. To perform the evaluation, click the Evaluate button. To obtain the trace data for each authorization object, select the authorization object you want to customise in the upper-left pane of the Permissions object drop-down list.

Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.

Thus, the overall authorisation for these fields allows the login from any system and client or for any user and thus creates significant security risks.

End users typically do not access table-level data directly, but the data is displayed in business applications and their display is restricted in context by means of entitlement checks.
SAP BASIS
Zurück zum Seiteninhalt