Critical authorizations
Maintain proposed values using trace evaluations
SAP*: The SAP* user is part of the SAP kernel, and since it is hard-coded in the SAP system, it does not require a user master set. If there is no user master set for SAP*, anyone can log on to the SAP system after rebooting with this user, as the default password will then apply. The user thus has access to all functions, since Authority Checks in this case do not take effect. You can prevent this behaviour by setting the login/no_automatic_user_sapstar profile parameter to 1. If you want to copy clients, you have to set this parameter to 0 again before you do so, because the user SAP* is required for this. Safeguard measures: Despite the parameter setting, the SAP user should have a user master set in all clients. However, you should remove all profiles and lock the user. In addition, change the password, assign the user to the SUPER user group, and log it with the Security Audit Log.
You may have special requirements that are necessarily to be included in the naming convention, such as when you define template roles in a template project that can be customised locally. You can identify this in the naming.
Add external services from SAP CRM to the proposal values
You can greatly facilitate the maintenance of permissions in controlling by defining the RESPAREA field as the organisational level, and thus using your cost centre and profit centre hierarchies. In the SAP system, you can define cost centre hierarchies and profit centre hierarchies. For example, they can map the expiration organisation or a matrix organisation in your company. To facilitate the mapping of permissions for the controlling reports, you can grant permissions to nodes in those hierarchies. You can do this by assigning permissions through the RESPAREA field, which is used in certain authorization objects in the controlling. We would like to facilitate the creation of roles for these permissions by explaining to you which activities are necessary in advance to define the RESPAREA field as an organisational level.
In the SAP standard, there is no universally applicable way to automate the mass maintenance of role derivations. We therefore present three possible approaches: 1) Approach to custom development 2) Automated mass maintenance using the Business Role Management (BRM) component of SAP Access Control 3) Use of a pilot note that allows a report for mass update of organisational values in rolls (currently available to selected customers).
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
In contrast to the previous systems, however, roles and profiles are maintained here, so that appropriate rights must be assigned to the role/profile administrators.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
They have far-reaching authorizations that can cause great damage to your system if misused.