What to do when the auditor comes - Part 2: Authorizations and parameters
Map roles through organisational management
The case that the user buffer is not up to date is very rare. The auth/new_buffering profile parameter sets the value 4 to immediately update the permissions, i.e. changes to the user root or roles or profiles, and write them to the USRBF2 database table without requiring a new login. This value is set by default. The fact that the buffer is not up-to-date is recognised by the fact that existing permissions that are not in the buffer are marked in the transaction SU56 with the note "In the root data but not in the user buffer".
The role menu of the PFCG role now consists of folders that represent all logical links within a scope start page, and external services that represent the logical links and the area start pages themselves. This means that any external service listed in the Role Menu is eligible for a Area Start Page or Logical Link. If such an external service is removed from the role menu and the PFCG role is generated, the user of this PFCG role does not have permissions to view this external service (see screenshot next page). You will find duplicate, maybe even triple, entries from external services. These are mainly found in the folders of the homepage and under GENERIC_OP_LINKS. You can delete them without any concern, because an external service for a permission must appear only once in the Role menu. For a better overview, it is also useful to rename the external services or folders as they are shown in the SAP CRM Web Client.
Installing and executing ABAP source code via RFC
Define critical permission combinations that cannot be assigned in the monitored systems. A whitelist allows you to specify which users (such as emergency users) you want to exclude from the evaluation. Identify vulnerabilities in the configuration of your RFC interfaces, i.e. RFC connections, where users with extensive permissions (e.g., the SAP_ALL profile) are registered. These RFC connections can be used for the so-called RFC-Hopping, where access to an SAP system is made via such an extensively authorised RFC connection.
Balance: In the settlement transactions, the user is only presented with the supporting documents for which he or she has permission. If the Profit Centre field is not filled in the journal view (Table BSEG), the general ledger view (usually Table FAGLFLEXA) is checked. To compensate, we recommend that you include the Profit Centre in the selection fields of the balancing transactions.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
Essential system parameters are also part of the audit.
A note box in which data of all kinds can be quickly filed and retrieved. This is what Scribble Papers promises. At first, the program looks very spartan. But once a small structure is in place, you realise the great flexibility of this little helper.
These include defining the ZBV landscape, i.e. defining the central system and subsidiary systems, adjusting the distribution parameters and transferring users from the subsidiary systems to the central system.