Configuration & operation of the SAP Solution Manager
SAP ICM
A secure SAP system does not only include a good role concept. It is also necessary to check whether a user should (still) have a specific role. Regular verification of role assignment is called recertification. In this blog post, I'd like to introduce you to the need for recertifications and our own tool, EasyReCert. The need for recertification - scenarios: Example 1: The "apprentice problem" Imagine the following scenario: A new employee (e.g. apprenticeship or trainee) will go through various departments as part of his or her training and will work on various projects. Of course, an SAP User will be made available to your employee right at the beginning, which is equipped with appropriate roles. As each project and department passes, the employee repeatedly needs new permissions to meet the requirements. After the employee has successfully completed his or her induction and is now in a permanent position, he or she still has permissions that are not necessary to perform his or her duties. This violates the principle of "last privilede" and represents a potential security risk for your company. Example 2: The change of department The change of department is one scenario that probably occurs in every company. If a change of department does not automatically involve a complete reallocation of roles and the employee simply takes his old permissions with him, critical combinations of permissions can occur very quickly. For example, an employee who has permissions in accounts payable and accounts receivable violates the SoD ("Segregation of Duties") principle and poses a potential security risk to your company. Recertification as part of a revision: The two examples above show that a regular review of role allocation identifies potential security risks for your business and can be addressed.
An SAP administrator has the task of controlling a company's SAP system and ensuring its proper functioning. He/she maintains and monitors SAP applications and is also responsible for their development.
DBCO Database connections
The SAP Security for Administrators training block covers the basics of security when using SAP systems. Participants receive training in basic security measures in the form of prevention and monitoring.
Whenever you find a red traffic light on the Roles tab in the user master in SU01 - or a yellow traffic light on the Users tab in PFCG, you can usually solve the problem with a simple user synchronization. The fact that such a user adjustment is necessary can have several reasons. Among others: after a role transport to / when assigning users to roles via PFCG after restricting the validity of roles to users when roles are assigned indirectly via organizational management. Users usually notice the problem of a user comparison that has not been carried out quite quickly: Authorizations are missing, although at first glance they are available in the assigned authorization roles. This is because a user is assigned the correct authorization role - but the profile associated with the role is not up to date.
With "Shortcut for SAP Systems" a tool is available that greatly facilitates some tasks in the SAP basis.
The granting of critical allowances must therefore generally be carried out with particular care and should therefore be planned in advance.
Understanding the structure and functioning of the system is especially important for IT administration. It is not for nothing that "SAP Basis Administrator" is a separate professional field. On the page www.sap-corner.de you will find useful information on this topic.
Nevertheless, the two fields of activity are usually organizationally separated in the company.