Features of the SAP authorization concept
SU2X_CHECK_CONSISTENCY & SU24_AUTO_REPAIR
Are you already using BAPIs in user care? For example, you can use them to set up a password reset self service. We show you how to do this and what you need to pay attention to. Especially with large system landscapes and systems that are only sporadically used, users often forget their password. Strengthened password rules (e.g. to change a password regularly or to require certain character types to be used), which are supposed to serve security, do their part. Forgotten passwords and the frequently resulting user locks are unfortunately often lost to the user when access to a system is most needed. Unlocking a user and assigning a new password is rarely done in real time, even with large 24-hour support service departments. This problem, which I am sure you are familiar with, does not exactly promote employee satisfaction and productivity. A self-service that uses the Business Application Programming Interfaces (BAPIs) can counteract this.
The S_RFCACL authorization object is removed from the SAP_ALL profile by inserting SAP Note 1416085. This notice is included in all newer support packages for the base component; This affects all systems down to base release 4.6C. The reason for this change is that the S_RFCACL authorization object, and especially the expression "total permission" (*), is classified as particularly critical for its fields RFC_SYSID, RFC_CLIENT and RFC_USER. These fields define from which systems and clients or for which user IDs applications should be allowed on the target system. Thus, the overall authorisation for these fields allows the login from any system and client or for any user and thus creates significant security risks.
Hash values of user passwords
Existing log files are managed using the SM18 transaction. Here you can delete the log files in all active instances. This requires the indication of a minimum age in days for deletion. The smallest possible value is three days, without taking the current day into account in the calculation.
Authorization object: Authorization objects are groups of authorization fields that control a specific activity. Authorization objects should always be defined in advance with the user group and then relate to a specific action within the system.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
If you want to get more information about SAP basis, visit the website www.sap-corner.de.
The result list shows all the authorised tables, their permissions, and their permission values.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
Password change rules are still not valid for System or Service type users.