SAP Authorizations SAP AUTHORIZATIONS: THE 7 MOST IMPORTANT REPORTS - SAP Admin

Direkt zum Seiteninhalt
SAP AUTHORIZATIONS: THE 7 MOST IMPORTANT REPORTS
Evaluate Permission Traces across Application Servers
The daily business of an authorization administrator includes the checks and analyses of critical authorizations and combinations in the system. The focus is on users and roles in the respective clients and system rails. The SAP standard report RSUSR008_009_NEW is suitable for this purpose. You must first create corresponding check variants and authorization values for critical authorizations or combinations either using the program itself or transaction SU_VCUSRVARCOM_CHAN. These then correspond to your internal and external security guidelines. You can then run the report with your respective check scope and the corresponding critical authorization or combination variant and check in which roles or users such violations exist. This serves to protect your entire IT system landscape and should be carried out periodically.

For accesses by verifier users (from the table TPCUSERN), the selection parameters of the invoked transaction are logged in the application log and can be evaluated with the report CA_TAXLOG. In the example, the single ledger entry for the vendor account 100000 was invoked.
Security in development systems
You noticed that the maintenance status of the permissions in PFCG roles changes when you maintain, change, or manually add authorization objects? Find out what the permission status is. When deleting or adding transactions in the role menu of PFCG roles, the respective permissions in the PFCG role have the Maintenance Status Standard. Add or change the permissions, the Maintenance Status changes to either Care or Changed. You may have seen the Maintenance Status Manual before. What are the background to this maintenance status and what do they actually say?

Regardless of whether you select the degree of simplification COARS = 1 or 2, you should not enter * or SAPDBPNP (programme name of logical database PNP) in the REPID field. With these values, you allow access to the logical databases SAPDBPNP and SAPDBPAP and thus to all contained root data.

If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.

Some useful tips about SAP basis can be found on www.sap-corner.de.


If it is a function block or a Web application, you can obtain the programme name by using the System Trace for Permissions (transaction ST01 or transaction STAUTHTRACE).

So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.


In the PRGN_CUST table, set the customising switch REF_USER_CHECK to E.
Zurück zum Seiteninhalt