Centrally review failed authorisation checks in transaction SU53
Architecture of authorization concepts
When defining the development policy, you should ensure that the appropriate attention is paid to access security. Customised programmes or customisations in the SAP Code Inspector ensure that all developers working in the company comply with these guidelines. Verification of compliance with the development directives should be an essential part of quality assurance before the programmes are used productively. The SE38 and SA38 transactions should not be allocated in the productive system and custom programmes should be included in own transaction codes. Permissions are then set up only for these transactions.
If the proliferation has occurred because the authorization concept was not adhered to, a cleanup is sufficient. If the proliferation has arisen because there are errors and gaps in the authorization concept, these errors must be identified, eliminated and the authorizations optimized. If the concept can no longer be implemented in a meaningful way, or if it has already been set up incorrectly, it will be necessary to create a new one.
Criticality
In the area of group consolidation, an authorization concept ensures that no data can be deliberately manipulated, for example to change balance sheets. This can prevent significant financial or reputational damage to banks and stakeholders. Furthermore, access to financial data of subdivisions of a group, such as individual business units or companies, must be restricted to those employees who are allowed to access it because their current activities require it. As a result, a controller of a business unit, for example, can only view the consolidated figures of his business unit, but not the figures of the entire group. Further authorization roles are required, for example, for external auditors. These auditors check all the figures for the entire group, but may only have read access to this data.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
At "www.sap-corner.de" you will also find a lot of useful information on the subject of SAP authorizations.
A temporary shutdown of Central User Management is usually not recommended.