Use AGS Security Services
Permissions checks
Two other very important settings are the activation of the security audit log and the table logging. Both parameters must be activated in order to ensure traceability at the user level as well as at the table level. It should therefore be checked whether the detailed settings for the security audit log are set up in accordance with the company's specifications and, in any case, whether all users with comprehensive authorizations, such as SAP_ALL, are fully covered by the logging without exception.
Database Schema Privileges permissions: Schema Privileges are SQL object permissions that control access to and modification of a (database) schema, including the objects contained in that schema. A user who has an Object Privilege for a schema also has the same Object Privilege for all objects in that schema.
Evaluate licence data through the Central User Management
On the one hand, sensitive company data must not fall into the wrong hands, but on the other hand, they also form an important basis for decisions and strategic company directions. Avoid a scenario of accidentally accessible data or incomplete and thus unusable reports by implementing your SAP BW authorizations properly.
Are you already using BAPIs in user care? For example, you can use them to set up a password reset self service. We show you how to do this and what you need to pay attention to. Especially with large system landscapes and systems that are only sporadically used, users often forget their password. Strengthened password rules (e.g. to change a password regularly or to require certain character types to be used), which are supposed to serve security, do their part. Forgotten passwords and the frequently resulting user locks are unfortunately often lost to the user when access to a system is most needed. Unlocking a user and assigning a new password is rarely done in real time, even with large 24-hour support service departments. This problem, which I am sure you are familiar with, does not exactly promote employee satisfaction and productivity. A self-service that uses the Business Application Programming Interfaces (BAPIs) can counteract this.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
If you need explanations about a customising switch that are not listed here, look for the relevant note about the SSM_CID table.
The context-dependent authorizations combine the general and structural authorizations and avoid situations like in the example above.