Our services in the area of SAP authorizations
Determine Permissions Error by Debugging
Only current profile data is always recorded, so that obsolete profiles and permissions in the target system cannot be deleted by transport. This data remains associated with the users and remains effective until it clears a user synchronisation with the Cleanup option (transaction PFUD).
The indirect role assignment uses the evaluation paths PROFLO and PROFLINT for assigning the PFCG roles to the corresponding users. However, these evaluation methods ignore the object CP (central person), which represents the business partner in SAP CRM. In transaction PFUD, which provides for the user comparison, the evaluation paths US_ACTGR and SAP_TAGT are used. Again the object CP is not known.
Context-dependent authorizations
Remove improperly defined SAP Orgebene ($CLASS): This function deletes the $CLASS organisational level that was incorrectly delivered with the GRCPlug-in (Governance, Risk and Compliance). Use the test mode of the report to look at possible corrections in advance.
Here we present different scenarios for the process of resetting passwords. In all scenarios, the user selects the system and the client in which a password is to be reset from a web page. Only systems and clients where this user already exists and assigned a permission should be displayed. An initial password is then generated and sent to the user's email address. Only if a user lock is set by false logins, the user must be unlocked. If an administrator lock is in place, the user should be informed accordingly. Before implementing self-service, consider the password rules set in your systems and the use of security policies. Because these settings allow you to control how passwords are generated in your systems. We recommend that you read the instructions in Tips 4, "Set Password Parameters and Valid Signs for Passwords", and 5, "Define User Security Policy".
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
The website www.sap-corner.de offers many useful information about SAP basis.
Some of the risks are identified by potential security vulnerabilities in the ABAP code, most of which cannot be addressed by downstream measures and therefore need to be addressed in the code itself.
So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.
As part of the use of a HANA database, you should protect both the execution of HANA database functions as well as the reading or altering access to the data stored in the database by appropriate permission techniques.