Assign SAP_NEW to Test
Due to the complexity of an SAP® authorization concept, it is necessary that all essential aspects are set down in a written documented authorization concept. This should describe the essential processes, but also how to handle the assignment of authorizations via roles. In particular, the nomenclature of specially created roles must be clearly defined. It should therefore be checked whether all changes since the last audit have been documented in the written authorization concept. After all, this document serves the auditor as a template for the so-called target/actual comparison. This means that the auditor compares the document with the actual status in the SAP® system for the main topics relevant to the audit. Any discrepancy can lead to a finding that must be avoided.
With the Enhancement Package (EHP) 3 to SAP ERP 6.0, SAP has provided an extension of the eligibility tests in the FIN_GL_CI_1 Business Function, which allows the eligibility objects for profit centres to be tested in FI. You must first enable the FIN_GL_CI_1 Business Function in the Switch Framework (transaction SFW5). After that, you can activate the new functionality in Customising via this path: Finance (new) > Basic Financial Settings (new) > Permissions > Enable Profit Centre Permissions Check.
Implementing the authorization concept in the FIORI interface
Service users are used for multi-person anonymous access, such as Web services. This type of user is also dialogical, i.e. it can log on to the SAP system via SAP GUI. With a service user, multiple logins are always possible, and password modification rules do not work. This behaviour has changed with the introduction of security policy. Because previously all password rules for the service user were invalid, and now the rules for the contents of the passwords also apply to the service user (see Tip 5, "Defining User Security Policy" for details on security policy). The password of a service user always has the status Productive and can only be changed by the user administrator.
This solution is only available with a support package starting with SAP NetWeaver AS ABAP 7.31 and requires a kernel patch. For details on the relevant support packages, see SAP Note 1750161. In addition, the SAP Cryptographic Library must be installed; but this is ensured by the required kernel patch. Only if you have manually made a different configuration, you must check this requirement.
Authorizations can also be assigned via "Shortcut for SAP systems".
Some of the risks are identified by potential security vulnerabilities in the ABAP code, most of which cannot be addressed by downstream measures and therefore need to be addressed in the code itself.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
If an administrator lock is in place, the user should be informed accordingly.