Permissions checks
Perform upgrade rework for Y landscapes permission proposal values
After defining the roles and generating the corresponding authorization profiles, the individual persons in the company are then assigned to the roles. In the process, the so-called user comparison takes place and the role-specific authorizations are stored in the user master record. The master record contains all information about an SAP user, including authorizations.
Wildgrowth of characters used in user IDs can have negative effects. Set a bar on it by limiting the character set in the first place. In the SAP system, depending on the release of the SAP_BASIS software component, you can create users whose names may contain "alternative" spaces. In Unicode systems, there are different spaces, which are represented by different hexadecimal values. The usual space has a hexadecimal value of 20, but there are alternative spaces (wide spaces), which can be recognised, for example, as double width or not at all as character spacing. You can use these alternate spaces when entering the user ID by pressing the Alt key. For example, the key combination (Alt) + 0160 can create a space with a non-breaking space. You can also create a user whose ID consists only of alternate spaces. Users with such IDs will write all change documents, but the IDs can still cause confusion if, for example, they are not recognisable as a user ID or if it appears that no user is displayed for the change document. In addition, certain special characters may cause problems in other applications (e.g. in transport management). Therefore, we will show you how to prevent such problems by limiting the character set.
Query the Data from an HCM Personnel Root Record
The object S_PROGRAM checks since SAP Release 2.x for the field TRDIR-SECU i.e. the authorization group of the program. As of Release 7.40, you can optionally switch on a check for the object S_PROGNAM. For more information, see note 2272827 for further instructions. The check on S_PROGNAM MUST first be activated in the customer system. Note, however, that they CORRECTLY authorize S_PROGNAM before doing so, otherwise NOBODY except emergency users will be able to start any report or report transaction after the SACF scenario is activated.
The daily business of an authorization administrator includes the checks and analyses of critical authorizations and combinations in the system. The focus is on users and roles in the respective clients and system rails. The SAP standard report RSUSR008_009_NEW is suitable for this purpose. You must first create corresponding check variants and authorization values for critical authorizations or combinations either using the program itself or transaction SU_VCUSRVARCOM_CHAN. These then correspond to your internal and external security guidelines. You can then run the report with your respective check scope and the corresponding critical authorization or combination variant and check in which roles or users such violations exist. This serves to protect your entire IT system landscape and should be carried out periodically.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
The daily business of an authorization administrator includes the checks and analyses of critical authorizations and combinations in the system.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
There will always be inactive users in your SAP system.