We support you in the following tasks:
CG3Z Upload file
In this article on SAP Security Automation I would like to take a look at the future of automated processes in the SAP Security area. For many companies, the topic of security automation still offers a lot of potential in terms of time savings and process optimisation. Our daily work environment offers numerous tasks that could be handled excellently automatically. For this reason, in this article I present two of the possibilities that already exist in the broad area of security automation. Security Automation via SAP Security Check The first option of Security Automation, which I want to introduce here, is the automatic verification of the existing permissions. Have you ever wondered who has critical permissions in your SAP system? And have you ever tried to do this by hand? Depending on the level of expertise and experience of the privilege administrator, this is a time-consuming work. If an audit is also announced and the SAP system is to be checked for critical permissions and segregation of duties, then it is very difficult to meet all requirements and secure the eligibility landscape in this respect. For this reason, various vendors provide solutions to automate the verification of the permission system with regard to critical permissions and segregation of duties using tool support. This allows permission administrators to use their valuable time to correct the errors rather than just looking for them. For example, we use a tool that runs through the verification of over 250 rules. We then get an evaluation of which rules are violated and which points are correct. A simple example of such rules is the use of the SAP_ALL profile. Another would be to grant the jump permission in debugging (S_DEVELOP permission object with the ACTVT = 02 field). These are two relatively simple examples of Security Check tools' rulebook. In addition, queries are also made, which are located in the field of Segregation of Duties. Using this tool allowed us to move from manual validation of critical permissions to an automatic process.
Test of EDI data transmission In the transaction WE05 all incoming and outgoing messages and IDocs as well as the status of the IDocs are displayed. If the order data is correctly entered and the partner profile is correctly configured, the IDoc is listed as successfully processed.
Documentation and training
If you now want to change the permission data, you will be asked for values for the appropriate organisation levels. First enter a tilde (~) and define the value later in the derived roles. Maintain the permissions you want and then generate the master role. Adding the organisational level to the master role Step 2: Define derived roles Create derived roles Assign the master role After you have created the master role, it is the derived roles that are in the process. To do this, re-enter a suitable role name via the PFCG. In our example, it is called "findepartment_d01". For a better overview, it is usually useful to name and number the derivatives after the master roles. You can also define the roles according to a different scheme. After you have created the role, you must then enter the master role in the Derive from Role field in the Description tab. Confirm the Auto Enquiries. Customise the Organisation Levels Now go to the "Menu" tab. There you can see that the data from the master role was automatically copied. Since the role has not yet been generated, the Permissions tab is currently highlighted in red. Therefore, call "Change Permissions Data". The first call should automatically open a dialogue to maintain the organisational levels, as they are still empty. If this is not the case, or if you would like to adjust the organisational levels again in a later case, you can also access them via the button Ordende (see screenshot). If everything worked well, you can now see that the permissions were also automatically taken from the master role. If you generate the role, the permission tab will also appear green. Congratulations, you have successfully created a derived role! Repeat step 2 with the additional derivatives to adjust the organisation levels accordingly.
SAP Basis Support ensures secure operation of the SAP system landscape. For proper operation of the SAP system, the database and operating systems must be checked on a daily basis.
Tools such as "Shortcut for SAP Systems" are extremely useful in basic administration.
After fixing the error, you can resume playback.
The website www.sap-corner.de offers many useful information about SAP basis.
This data should then be taken into account in all manipulations of users and roles.