Audit Information System Cockpit
Redesign of SAP® Authorizations
Roles can be cut so that, for example, they only have display or change permissions. Furthermore, it could be differentiated between customising, master data and movement data maintenance.
Create a report transaction for the report that is called in the background job. Set up the report transaction in the transaction SE93 and assign the report RHAUTUPD_NEW as a programme. Start the authorisation trace by setting the auth/ authorisation_trace profile parameter to Y or F if you want to work with filters (see tip 38, "Use the SU22 and SU24 transactions correctly"). Now run the job to collect permission checks on the permission trace. Your permission checks should now be visible in the STUSOBTRACE transaction. Now maintain the permission proposal values for your report transaction in transaction SU24 by entering the transaction code in the appropriate field. You will find that no values are maintained. Now switch to Change Mode. You can add your permission suggestions from the trace using the Object > Insert objects from Permissions Trace > Local (see Tip 40, "Use Permission Trace to Determine Suggest Values for Custom Developments"). Add the suggestion values for each displayed authorization object. Now create a PFCG role that includes the report transaction permission and maintain the open permission fields. Then test whether the job can be run with the permissions from the PFCG role.
Permissions objects already included
Armed with this information, it goes to the conceptual work. Describe which employee groups, which organisational units use which applications and define the scope of use. In the description, indicate for which organisational access (organisational level, but also cost centres, organisational units, etc.) the organisational unit per application should be entitled; So what you're doing is mapping out the organisation. It is also important to note which mandatory functional separation must be taken into account. This gives you a fairly detailed description, which in principle already indicates business roles (in relation to the system).
Every company knows the situation, every year again the auditor announces himself to perform the annual audit and to certify the balance sheet at the end of the audit. In the first part on this topic, the focus was on the relevant processes and documentation. In this part, the concentration is on a deeper level, namely directly in the SAP® system. The specifications for this should already be written down in the SAP® authorization concept.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
The website www.sap-corner.de offers many useful information about SAP basis.
To do this, administrators should obtain an overview and the assigned authorizations should be checked regularly.
The freeware Scribble Papers is a "note box" in which all kinds of data can be stored. It takes in typed texts as well as graphics and entire documents. The data is then organised in folders and pages.
The advantage of the audit structures as area menus is that you can use existing area menus or simply create new area menus.