Security in development systems
SAP FICO Authorizations
In order to make a well-founded statement about the complexity and the associated effort, a fundamental system analysis is required in advance. The results obtained from this form an excellent basis for estimating the project scope and implementation timeframe.
In order to get an overview of the organisations and their structure, we recommend that you call the Org-Copier (in read mode!) for the various organisational fields via the transactions EC01 to EC15. The customising in the SPRO transaction allows you to define the organisation fields and their respective assignment in the corporate structure area.
Analyzing the quality of the authorization concept - Part 1
This information is used in the name generation of the external service. In this way, all area start pages and logical links configured in a CRM business role are authorised in the form of external services. Due to the mass of external services that appear in the role menu, it is difficult to keep track of them. Now, to allow only certain external services, you can do the following: First, identify the external service using the permission trace.
First and foremost, legal principles must be stated and specific reference must be made to authorizations that are critical to the law and that may not be assigned (or at most may be assigned to emergency users). An example is the authorization "Debugging with Replace", to which the object S_DEVELOP with the values ACTVT = 02 and OBJTYPE = DEBUG legitimizes and over which data can be manipulated by main memory change. However, this would violate § 239 of the German Commercial Code, the so-called "erasure prohibition".
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
From release 10.1, SAP Access Control supports the creation of users and the assignment of roles and privileges in HANA databases.
This can be business-critical or personal data or even passwords.