What to do when the auditor comes - Part 1: Processes and documentation
Understanding SAP HANA Permissions Tests
Changes to SAP user data should be uncomplicated and fast. Users can make requests for SAP systems themselves. In exceptional and emergency situations, SAP users should be assigned extended authorizations quickly and for a limited period of time. Simplified assignment and control of exception authorizations in SAP systems is required. You can freely and flexibly determine the duration of these authorization assignments. Decisions can be controlled and monitored across systems. Whether it's recertification of SAP users, vacation requests or birthday wishes: all these things can now be processed and managed centrally in one place.
You can also remove customer-specific organisational levels and convert them to a simple permission field. The report PFCG_ORGFIELD_DELETE serves for this purpose. It removes the permission field from the USORG table and changes the permission proposal values to that field. Finally, it goes through all the rolls that contain a shape to the field. However, it does not restore the old location of the field, because summarised values will no longer be separated when the field is elevated to the organisational level. Instead, the aggregated values are entered separately in each field. The PFCG_ORGFIELD_DELETE report also provides a value aid that shows only the customer's organisational levels. You can also use this value aid to determine all customer-specific organisational levels.
Bypass Excel-based Permissions Traps
Have you ever wondered who has critical permissions in your system? Have you lacked the tool and approach to identify these users? The user system in an SAP system is always connected to a permission assignment. Over the life cycle of a user in the SAPS system, more and more permissions are accumulated if they are not withdrawn once they are no longer needed. This accumulation is bound to result in users being able to perform more actions than you would like as the permission administrator. To avoid this, we want to give you a suitable tool.
In the SAP system, passwords are locked when the maximum number of allowed password login errors is reached. This counter is reset with a password each time you successfully log in. In addition, an initial password can be locked when its validity has expired. Both the validity of the initial password and the maximum value for password login errors are set using profile parameters. For details, see Tip 4, "Set password parameters and valid passwords characters". A password lock only prevents a user from logging in via his password, because the number of errors is only evaluated if the login is done by password. If a login is now made via other authentication methods (such as SSO), these are not affected by the password lock. This also applies to internal expiration procedures (such as background jobs) because you do not need to register a password. This prevents, for example, denial-of-service attacks, which first cause a password to be locked in order to block internal processes. Eine Ausnahme von dieser Regel gibt es allerdings: Auch wenn andere Authentifizierungsverfahren genutzt werden, prüft das System, ob der Benutzer dazu in der Lage ist, sich mit einem Passwort anzumelden. Wenn dies der Fall ist und das Passwort gerade geändert werden muss, wird diese Änderung vom Benutzer abgefragt. Diese Abfrage können Sie aber auch mithilfe des Profilparameters login/password_change_for_SSO ausschalten.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
With the SAP Implementation Guide (IMG), there is a tool that allows you to customise your SAP system to suit your business needs.
A new window will open, where you enter the project name.