Challenges in authorization management
Maintain derived roles
The user administration process, i.e. user creation, modification and deactivation, should on the one hand be available in written documented form, either as a separate document or as part of the authorization concept documented in writing, and on the other hand also be carried out in accordance with the documentation. Therefore, a reconciliation should be performed on two levels: on the one hand, it should be ensured that the documentation is up to date and, on the other hand, it should be checked whether the process was also followed in the fiscal year to be audited. Possible deviations should already be prepared argumentatively, special cases can always occur that deviate from the actual process. However, these should be documented in a comprehensible manner so that an external auditor, such as the auditor's IT auditor, can check the plausibility. All documentation should be provided with the essential information (creator, date, version, etc.) and be in a format that cannot be changed (usually PDF). Additional documentation can also be output from the ticket system, provided that the process is consistently documented via the ticket system.
In line with the maintenance of the SAP transaction permissions proposal values using the SU22 and SU24 transactions, it is advisable to maintain proposed values for web applications. In order for a user to be assigned a suitable rating for an operational feature set in the Web application, the software developers in the transaction SU22 must connect all the authorization objects required for this application to the corresponding Web Dynpro application, i.e. not just S_START. The source of the required authorization objects is usually a developer or permission trace.
SIVIS as a Service
This also implies that the change documents must be kept in Excel. The Excel file must not be lost or damaged.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
You can also find some useful tips from practice on the subject of SAP authorizations on the page "www.sap-corner.de".
If a suitable project is not available, you can view the list of SAP customising activities.