Quick check of your SAP security settings with the Xiting Authorizations Management Suite (XAMS)
IT ROADMAP
A well-cared-for emergency user concept enables the audit-proof allocation of extended permissions in combination with the assurance of daily operations in your company. This article first addresses the fundamental issues that require an emergency user approach. It then briefly explains how such a concept works in general and how we implement it. An Emergency User is normally used when tasks are temporarily taken over outside the initial field of activity. I described the different scenarios of when such a user can be used and how to deal with them in this blog post for you. Why is an emergency user approach important? There are several scenarios in which the use of an emergency user with extended rights is useful: In urgent cases, it is often necessary to be able to quickly make changes to the system that are outside the user's actual field of activity. A key user who has the necessary permissions is on vacation and needs a representation. The same user suffers short-term illness and his/her representative must take over his/her duties to ensure the operation. We recommend developing a concept for the short-term allocation of the additional permissions. This will ensure the implementation of the above scenarios. How does an emergency user approach work? An emergency user concept in SAP works fundamentally via a temporary assignment of additional rights to a specific user. After the tasks have been completed, the user is deprived of the rights. The tasks performed with the extended permissions are logged and can then be evaluated by an auditor. However, there are a few things to keep in mind: A process for granting special rights should be defined. It must be specified which users can get special rights. The time period for which users can request an emergency user should be limited.
Cross-client tables can be modified. The control system of another, productive client can thus be undermined and undermined. Quite a lot of power! Did you also know that the SAP system provides a feature that deletes table change protocols (DBTA BLOG table) and that it is effective across all clients? If the table change logs have not been additionally archived via the BC_DBLOGS archiving object, traceability is no longer available. That way, every criminal act within your company can be beautifully covered up. Similarly, full access to batch management allows you to manage all background jobs in all clients with the permission. This allows you to delete old background jobs that have gone unauthorised. There are also some points to consider when managing print jobs. Typically, the following two SAP access permissions are enabled to protect print jobs: S_SPO_DEV (spooler device permissions) S_SPO_ACT (spooler actions). Why? Confidential information in print jobs is not protected against unauthorised disclosure. (Strictly) sensitive print jobs can be read unauthorised or redirected to external printers and printed out. Print jobs are unprotected unless additional SAP access permissions are enabled to protect print output. The print jobs are multi-tenant, which means that the authorisation award should also be well thought through at the point.
On www.sap-corner.de you will also find useful information about SAP basis.
HTML5
PROJECT HISTORIES: THE SAP basis OF TOMORROW An entry in the Forum Infrastructure and Operations within the DSAGNet drew attention to the problem of the SAP basis as described above. This led to a lively discussion, which attracted a lot of interest from the members of the DSAM. Building on the interest and need for action of the member companies, a project was initiated by the DSAG as well as by the SAP, which should deal with the future of the SAP basis. Several companies were invited to participate and their willingness to participate actively was questioned in a DSAG survey. The first project meeting took place within the framework of the DSAG Annual Congress in Bremen in 2015. As a result, regular events took place at the SAP office in Freiberg am Neckar and St Leon-Rot, with the participation of up to 15 companies. In the project "the SAP basis of Tomorrow", current questions of the companies as well as the question of the SAP basis of the future were discussed and worked out with regard to the IT landscape, processes and organisational structure. A master's thesis was initiated to document and prepare the results as well as to examine the topic in scientific terms in parallel with the project. This was made at the University of Applied Sciences Würzburg-Schweinfurt as part of the Master's programme in Information Systems with Prof. Dr. Karl Liebschnitel and submitted for evaluation at the end of March 2016.
If you have already defined a Queue, but the Queue does not meet its requirements or has encountered errors, you can delete it again. Note that your system is inconsistent when you delete the queue after objects have been imported (for example, after an error in the DDIC_IMPORT step and following). The deletion in these SPAM steps should only be used for troubleshooting and you should repeat the insertion of the support packages as soon as possible. Note that starting with SPAM/SAINT version 11, you cannot delete the queue after the DDIC_IMPORT step and following. Procedure Select View/Define SPAM in the entry image of the transaction. You will get a dialogue box that displays the current queue. In this dialogue box, select Delete Queue. Result The queue has been deleted. You can define a new queue.
"Shortcut for SAP Systems" makes many tasks in the area of the SAP basis much easier.
There are the following types of Support Packages: SPAM/SAINT Update A SPAM/SAINT update (PAT) contains updates and improvements to the SAP Patch Manager and the SAP Add-On Installation Tool.
So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.
And that the RFC users are generously entitled even in productive systems is no longer a secret ("Better to have more permissions than too little; the RFC connections have to run, otherwise there is trouble from the specialist areas!").