SAP authorizations: Recommendations for setting up, monitoring and controlling
Preventing sprawl with the workload monitor
The convenience of configuring and evaluating the Security Audit Log has been improved. For this purpose, the maximum number of marked messages in the detail selection has been increased to 40 events, a forward navigation for the displayed objects has been added and the details selection in transaction SM20 has been supplemented with the technical event names. You will find the corrections and an overview of the required support packages in SAP Note 1963882.
No external services can be added manually in transaction SU24. To do this, you must turn on a permission trace that takes over. You can enable the permission trace using the auth/authorisation_trace dynamic profile parameter. You can enable this parameter by using the transaction RZ11 (Profile Parameter Maintenance) by entering the value Y as a new value and selecting the Switch to All Servers setting.
Centrally review failed authorisation checks in transaction SU53
To define table permissions in the PFCG transaction, it is not necessarily sufficient to specify the generic table display tools, such as the SE16 or SM30 transactions, in the role menu. The proposed values for these transactions are very general and only provide for the use of the S_TABU_DIS or S_TABU_CLI authorization objects. Explicit values must be entered depending on the tables that you have selected for permission. To explicitly grant access to the tables through the S_TABU_NAM authorization object, you can create a parameter transaction for each table access. For example, a parameter transaction allows you to call tables through the SE16 transaction without having to specify the table name in the selection screen because it is skipped. You can then maintain suggestion values for the parameter transaction you created.
Authorizations are the main controlling instrument for mapping risk management and compliance. They are used to control all processes in the systems. For the most part, separation of functions is implemented exclusively with authorizations. Therefore, not only the one-time setup of authorizations is relevant, but also the continuous monitoring and control of the authorization assignment. Various tools are available on the market for this purpose. A re-certification process that involves the departments and optimizes the revalidation of authorizations is helpful.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
SAP Basis refers to the administration of SAP system that includes activities like installation and configuration, load balancing, and performance of SAP applications running on Java stack and SAP ABAP. This includes the maintenance of different services related to database, operating system, application and web servers in SAP system landscape and stopping and starting the system. Here you can find some useful information about SAP Basis: www.sap-corner.de.
These default users use initial passwords that are well known.
The freeware Scribble Papers is a "note box" in which all kinds of data can be stored. It takes in typed texts as well as graphics and entire documents. The data is then organised in folders and pages.
Now, if you want to use the debugger, you can set a Session Breakpoint directly from the source code via the button.