Starting reports
SAP Authorizations - Overview HCM Authorization Concepts
The audit result lists the vulnerabilities by priority, with a high priority combined with a high hit safety of a finding and a low priority combined with low hit safety. In addition, more information is available within the ABAP editor at each location. This priority indicator helps you to identify whether a false positive or an actual security problem is present. Priorities 1 and 2 are very likely to be a genuine reference. The tool provides recommendations on how to modify the source code to correct the vulnerabilities. In addition to the individual checks for individual developers, the tool also offers mass checks, for example to check an entire application for vulnerabilities in one step.
SAP authorizations control the access options of users in an SAP system - for example, to personal data. Secure management of this access is essential for every company. This makes authorization concepts, authorization tools and automated protection of the SAP system all the more important in order to meet the stringent legal requirements with little administrative effort.
Know why which user has which SAP authorization
Unlike the EWA, the SOS is able to list users that require extensive permissions. So you can maintain a whitelist. We recommend that you deal with the results of the SOS as follows: Verify that all identified users require critical permission. Complete the users who need this permission in the whitelist. Remove this permission from other users.
With the help of the SAP-Note 1642106 it is possible to automatically perform the text comparison from SAP NetWeaver AS ABAP 7.0. Inserting the note will automatically perform text matching for any changes to PFCG roles in the central system. We recommend that you install the support package that is appropriate for your release, which is specified in the SAP Note, because inserting the hint requires a lot of manual work. With the help of the SUSR_ZBV_GET_RECEIVER_PROFILES report, you can turn on the new functionality in all subsidiary systems where the correction information has also been recorded. If you run the report in the central system with the default selection, all subsidiary systems are included. You can check whether the function is present in the daughter systems in the report log.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
In principle, the recommendation is to use the profile generator (transaction PFCG) to generate authorisation profiles automatically.
This folder structure can also be found in the SMEN_BUFFC table.