BASICS FOR USING SAP REPORTS
When it comes to preparing for the auditor, it should definitely be checked whether all critical authorizations, as well as the important parameters, have been correctly assigned or set up in SAP®. The specifications for this should all be defined in the authorization concept documented in writing and must also be consistent with this. In this context in particular, however, it is not always easy to check all the essential points using the SAP® standard on-board tools. This is where the experienced auditors at IBS Schreiber GmbH can provide support.
You probably know this. You find a specific customising table and you don't find it. Include the tables in the guide and they are easy to find. Customising is used by almost every SAP customer. Custom customising tables are created and standard programmes are extended. A custom programme that uses customising is written quickly. Project printing often lacks the time for sufficient documentation, for example in the SAP Solution Manager. The easiest way is to find customising tables where they are in the SAP standard: in the SAP Introductory Guide (IMG).
The best way for companies to combat historically grown uncontrolled growth in authorizations is to prevent it. An analysis of whether the current authorization concept is sufficient for the company helps here.
In general, you should note that not all relevant change documents of a system are present in the user and permission management. As a rule, authorisation administration takes place in the development system; Therefore, the relevant proof of amendment of the authorisation management is produced in the development systems. By contrast, you will find the relevant user administration change documents in the production systems; Therefore, you should note that when importing roles and profiles in the production systems, no change documents are written. Only transport logs are generated that indicate that changes have been made to the objects. For this reason, the supporting documents of the development systems' authorisation management are relevant for revision and should be secured accordingly.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
The same is true if no value is maintained.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
Change the password, assign the user to the SUPER user group, and log it with the Security Audit Log.