Make sense in maintaining proposal values
Permissions with Maintenance Status Used
Every company knows the situation, every year again the auditor announces himself to perform the annual audit and to certify the balance sheet at the end of the audit. In the first part on this topic, the focus was on the relevant processes and documentation. In this part, the concentration is on a deeper level, namely directly in the SAP® system. The specifications for this should already be written down in the SAP® authorization concept.
TMSADM: The user TMSADM serves the communication between SAP systems in the transport management system and is automatically created in the client 000 when they are configured. TMSADM only has the permissions to access the common transport directory, view in the change and transport management system, and the necessary RFC permissions. Safeguard measures: Change the user's passwords in each client. There is the report TMS_UPDATE_PWD_OF_TMSADM, which you have to start in the client 000. This is only possible if you have administrator privileges on all systems in the landscape and the password rules of the systems are compatible. After the report has been successfully passed, all TMSADM users of the landscape in the client 000 and their destinations have the same new password.
Equal permissions
In the foreground, important SAP reports on the subject of role and authorization administration were presented. Since these and the entire SAP system are known to be based on ABAP coding, the analysis of the source code is just as important, especially when using in-house developments. These in-house developments often present serious security vulnerabilities because they have insufficient authorization checks in the coding. To search for explicit strings and to categorize the in-house developments accordingly, the report RS_ABAP_SOURCE_SCAN can be used. This allows existing programs in the backend to be explicitly checked for specific check patterns by the authorization administrator and any errors to be corrected by the relevant developers. Authorization-relevant check patterns for such a scan are, for example, "AUTHORITY-CHECK" or SQL statements such as SELECT, UPDATE or DELETE. The former checks whether authorization checks are present in the source code at all. The check for Open SQL patterns analyzes the code structure for direct SELECT, MODIFY or INSERT statements that must be avoided or protected on the authorization side. The best practice measure in this case is to use SAP BAPIs. The preventive best practice would be to involve developers and authorization administrators equally during the conceptual design of the custom development.
After activation, advanced security checks are available in the usual development environment within the ABAP Test Cockpit. The ABAP Test Cockpit is a graphical framework for developers. Various test tools, such as the Code Inspector or the SAP Code Vulnerability Analyser, can be integrated into this. All available test tools can be initiated from this central location and present their results in a common view. No training is required to intuit the tool.
However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".
If such information is available from the past, it should be checked whether all topics have been implemented in accordance with the comments.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
Similarly, SAP Identity Management version 7.2 SP 3 and above supports the installation of HANA users and the assignment of roles.