User and authorization management
Reset passwords using self service
The role concept provides that each user can only process the tasks to which he is authorized. It is developed across departments and must protect sensitive data from unauthorized access. A clear role concept enables a modular structure of authorizations without having to create separate roles for each user.
One way of gaining direct access to downstream systems from the development system and possibly performing unauthorized activities there is to use incorrectly configured interfaces. In principle, interfaces within a transport landscape should be avoided with regard to the criticality of the systems "uphill", i.e. from an "unsafe" to a "safe" system (e.g. E system to Q or P system). However, this cannot always be implemented; for example, such interfaces are needed within the transportation system. Without going too deeply into the subject, however, critical interfaces can be characterized by the following properties. Critical interfaces refer to a critical system and a critical client, contain an interface user with critical authorizations in the target client, contain its deposited password.
Temporarily disable Central User Management
Although it is possible to create profiles manually, it is recommended to work with the profile generator. The Profile Generator allows you to automatically create profiles and assign them to user master records. The Profile Generator is used to simplify and speed up user administration and should always be used when setting up authorizations for your employees. The Profile Generator is also used to set up the user menus that appear when users log on to the SAP system.
In many SAP environments, there are historically grown authorization structures that cause unnecessary security gaps. These should be examined closely.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
S_BTCH_ADM grants parent permissions that are usually only required by administrators.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
If permission proposals include authorization objects that have not yet been modified or were manually available as permissions in Maintenance Status, the underlying programme adds new default permissions for the relevant authorization objects.