SU2X_CHECK_CONSISTENCY & SU24_AUTO_REPAIR
Custom Permissions
To support the safe operation of SAP systems, SAP offers a whole portfolio of services. We present the security services offered by SAP Active Global Support (AGS). The security of an SAP system in operation depends on many factors. There are several security features in the SAP standard, such as user management, authentication and encryption capabilities, web service security features, and the various authorisation concepts. Vulnerabilities in the standard software are also regularly fixed in SAP notes and support packages. You are responsible for the safe operation of your SAP system landscapes; so you need to incorporate these features and fixes into your systems. The AGS Security Services support you by bundling the experiences of the AGS into consolidated best practices. We introduce these services and describe how they help you gain an overview of the security of your operational concept.
Is it necessary for your evaluations to select the blocked or invalid users? This is now directly possible with the extensions of the user information system. There is always a requirement to evaluate the existing users in your SAP system. Examples may include lists requested by auditors. In such a case, you naturally want to exclude invalid users and those with administrator lock from the selection. Up to now, you have had to perform various evaluations with the reports RSUSR200 and RSUSR002 of the user information system (transaction SUIM) and subsequently edit the lists. The findings may not have been accepted by the auditors as the lists were visibly manipulated, even if this manipulation was justified. You can now enter this selection directly. We will show you below how to search for users with password or administrator lock or exclude them from your selection.
Rebuilding the authorization concept
For accesses by verifier users (from the table TPCUSERN), the selection parameters of the invoked transaction are logged in the application log and can be evaluated with the report CA_TAXLOG. In the example, the single ledger entry for the vendor account 100000 was invoked.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
You can also find some useful tips from practice on the subject of SAP authorizations on the page "www.sap-corner.de".
The user's access to this program is realized by assigning a role that contains the required transaction including the authorization objects to be checked.