SAP Authorizations Evaluation of the authorization check SU53 - SAP Admin

Direkt zum Seiteninhalt
Evaluation of the authorization check SU53
Unclear responsibilities, especially between business and IT
You should therefore enforce cryptographic authentication and communication encryption by setting up Secure Network Communication (SNC). SNC provides a strong cryptographic authentication mechanism, encrypts data transmission, and preserves the integrity of the transmitted data. For some time now, SNC is freely available without a SSOMechanism (SSO = Single Sign-on) for SAP GUI and the RFC communication of all SAP NetWeaver customers. You should always implement SNC between SAP GUI and application server, as this communication can also run over open networks. For RFC communication, you need an SNC implementation if you think the data transfer could be intercepted.

When were which changes made to a role (PFCG)? In the PFCG, click on Utilities > View Changes in the menu at the top to view the change documents. You will see a detailed list of which user made which change to which object and when.
Object S_BTCH_ADM (batch administration authorization)
You should not grant large permissions for the SCC4 and SE06 transactions to internal and external auditors, just so that they can see the system modifiability. We present the report, which only requires the permissions a auditor usually has to view the system modifiability. There are several people who want to view the system modifiability settings in your system for specific reasons. These can be internal auditors, auditors or developers. The display of these settings, e.g. via the SCC4 or SE06 transactions, is not in itself critical; However, this has previously required permissions that are not usually assigned to the group of people just described. Since SAP NetWeaver 7.0, there is also a report that shows the system modifiability settings. This report requires only viewing permissions that can be assigned to the above-described group without any concerns. We present the application of this report and the required permissions here.

You should archive all document types at the same time intervals; This is especially true for the US_USER and US_PASS archive objects. It is customary to keep the supporting documents between 12 and 18 months, as this corresponds to the retention periods for the revision. For performance reasons, if you want to archive in shorter intervals, you should always archive all archive objects at the same time and store the PFCG and IDENTITY archive object classes in separate archives. In this case, it may be useful to download the archived revision documents back to a shadow database to make them available for faster review. You can use the following reports: RSUSR_LOAD_FROM_ARCH_PROF_AUTH / RSUSR_LOAD_FROM_ARCHIVE. You can also archive the table change logs with the BC_DBLOGS archive object.

If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.

The website www.sap-corner.de offers many useful information about SAP basis.


This will show you the new user master set with the pre-filled fields.

So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.


You can specify either the name of the CRM Business Role (User Role) or the name of the assigned PFCG role.
Zurück zum Seiteninhalt