Assignment of critical authorizations and handling of critical users
Use system recommendations to introduce security
The results of the evaluation are marked with a coloured symbol. Classification varies for the different eligibility tests. The EWA does not only contain security-related tests and is therefore divided into different sections (e.g. hardware, performance). The test results in these areas are displayed with a traffic light symbol. If one of the tests within a section is indicated in red, the traffic light for that section shall also be set in red.
If you want to export the movement data of the productive system to a development system, you should first export user master records and the permission proposal values and archive the complete change documents. After importing, you can then delete the imported change documents, in analogy to the client copy, and then reload and index the original change documents of the development system. The activities described here require administrative permissions for the change documents (S_SCD0 and S_ARCHIVE) and, if applicable, for the table logs (S_TABU_DIS or S_TABU_NAM and S_ARCHIVE). These permissions should be considered critical, and you should assign them to a small circle.
Determine Permissions Error by Debugging
In each filter, you can define for which clients and users events should be recorded. You can record the events depending on their audit class or categorisation, or you can select them directly via the detail setting. For the Client and User selection criteria, you can use generic values, i.e. you can select all clients or users that meet specific naming criteria (e.g., Client 10* or User SOS_*). For example, you can filter the loggers of multiple emergency users.
Then run step 2c. Here too, there are new features. You will be shown a selection of the roles to match again. However, you have the possibility to perform a simulation of the mixing process via the button Mix. This allows you to see which permissions would be changed in the roles without actually doing so. For more information, see Tip 44, "Compare Role Upgrade Permissions".
Authorizations can also be assigned via "Shortcut for SAP systems".
Not all users should be able to log on to the application server during your maintenance? Use the security policy and a new profile parameter.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
To view the permission checks from the permissions system trace, start the trace from the STAUTHTRACE transaction and run the applications you want to view.