What to do when the auditor comes - Part 1: Processes and documentation
Managed Services
Furthermore, the statistical data of other users (user activities, such as executed reports and transactions) should be classified as sensitive, since it may be possible to draw conclusions about work behavior using this data. This data can be displayed using transaction ST03N, for example. Access authorizations to the two types of data mentioned above should be assigned only very restrictively.
The SAP Solution Manager is the central platform for all technically supported services, because information about the connected systems is available when you schedule data collections for these systems via background jobs. The documentation for the safe operation of SAP systems is compiled in the SAP End-to-End Solution Operations Standard for Security (Secure Operations Standard). It provides an overview of security aspects of SAP operations and is designed to guide you through the available information and recommendations and to refer you to relevant content.
Risk: historically grown authorizations
If you want to export the movement data of the productive system to a development system, you should first export user master records and the permission proposal values and archive the complete change documents. After importing, you can then delete the imported change documents, in analogy to the client copy, and then reload and index the original change documents of the development system. The activities described here require administrative permissions for the change documents (S_SCD0 and S_ARCHIVE) and, if applicable, for the table logs (S_TABU_DIS or S_TABU_NAM and S_ARCHIVE). These permissions should be considered critical, and you should assign them to a small circle.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
The website "www.sap-corner.de" offers a lot of useful information about SAP authorizations.
SAPHinweis 1257133 describes the procedure for creating such a concept.