SAP Authorizations Structural authorizations - SAP Basis

Direkt zum Seiteninhalt
Structural authorizations
Security within the development system
Security notes correct vulnerabilities in SAP standard software that can be exploited internally or externally. Use the System Recommendations application to keep your systems up to date. SAP software is subject to high quality assurance standards - however, security vulnerabilities may occur in the code. These vulnerabilities can, in the worst case scenario, open the door to external and internal intruders. It is not difficult to find guidance on exploiting these vulnerabilities in relevant internet forums. A permission concept is only as good as the code that performs the permission checks. If no permission check occurs in your code, the permission concept cannot restrict access. For these reasons, SAP has introduced Security Patch Day (every other Tuesday of the month), which will allow you to better plan for implementing the security advisories. In addition, you can use the System Recommendations application in the SAP Solution Manager to get a detailed, cross-system overview of the security advice you need. The system status and the SAP hints already implemented are taken into account. With this support, ensure that your system landscape is at the current security level.

When configuring the Security Audit Log, you must consider the storage of the files. At least one separate file is created for each day. When the maximum size of all files for the tag is reached, additional events are stopped. So you should always adjust the maximum size of the file to your needs using the parameters rsau/max_diskspace/per_file and rsau/max_diskspace/per_day. The rsau/max_diskspace/local parameter is obsolete in this case, but remains active if the other two parameters are not maintained.
Background processing
You can do this by using the P_ABAP authorization object to override the usual permission checks. This applies to all reports that access the logical database PNPCE (or PNP). In case of a P_ABAP permission, the usual checks for authorization objects, such as P_ORGIN or P_ORGINCON, will no longer take place or will be simplified. This also applies to structural permissions. Whether the permission checks are simplified or completely switched off is controlled by the COARS field of the object. To disable all checks, set the value COARS = 2. This value does not limit the data displayed in the legitimate report. If you want to allow advanced permissions for reporting, but you do not want them to be unrestricted, you must select COARS = 1. In this case, you will also designate the P_ORGIN (or P_ORGINCON, P_ORGXX and P_ORGXXCON) authorization object. However, you must be careful not to mark all fields of the objects, otherwise direct access is also possible. Therefore, always write two versions of the P_ORGIN authorization object, one with the functional permissions (permission levels, info types, and subtypes), and one with the organisational boundaries (personnel area, employee group, employee group, and organisation keys). In addition, you will of course need a P_ABAP for the relevant reports with the value COARS = 1.

Make your IMG projects more secure. We show you how to create customising permissions for individual projects or project views, thereby limiting access. With the SAP Implementation Guide (IMG), there is a tool that allows you to customise your SAP system to suit your business needs. You can manage access to projects in the IMG via customising permissions and thus limit the user circle. You grant the members of an SAP project team the permissions they need to support the project. Below we show you how to create customising permissions by mapping to the IMG projects.

Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.

This increases transparency for you, because all participants can instantly identify which users are editing the role.

After successful acceptance test, you transport them to the production system.
SAP BASIS
Zurück zum Seiteninhalt