User group can be defined as required field
Unclear objectives and lack of definition of own security standards
Even more critical is the assignment of the comprehensive SAP® standard profile SAP_ALL, which contains almost all rights in the system. Therefore, it should be assigned to a so-called emergency user at most. The handling of the emergency user should also be specified in the authorization concept, which should be documented in writing. In any case, the activities of the emergency user should be logged and checked regularly. Therefore, it is essential in preparation for the annual audit to check the current, as well as the historical, assignments of SAP_ALL. It is therefore not sufficient to simply quickly remove the SAP_ALL profile from users in the run-up to the annual audit. It must also be proven that the SAP_ALL profile was not briefly assigned for a few days over the audit period. If SAP_ALL assignments did occur, ideally these have already been documented and checked. If this is not the case, it is essential to create documentation that cannot be changed, in which it is proven why the assignment was necessary and that the user has not carried out any critical actions beyond this (filing and review of logging).
Increasingly, it is possible to make use of automation in the security environment. Although these are not yet used by many companies, they are the next step in digital transformation. By using automation intelligently, companies can free up resources for the innovation topics that really matter. In the future, we can expect both the number and power of automation tools to increase. It is therefore only a matter of time before SAP itself also delivers optimized support in the form of tools as standard.
Use timestamp in transaction SU25
Transactions: Transactions in the audit structure start the necessary evaluations for the audit. You can recognise transactions by the clock symbol ( ). Double-clicking on the icon opens the transaction in a new window and allows you to start the evaluation. In addition, the SAIS transaction log entries for this audit activity are displayed in the upper right pane of the display. These include the current date of execution, the verifier's user ID, a check status that you assign yourself, a weighting, and a justification for the check status that you also enter into a text box. Below is an overview of the audit activities performed so far, also with a time stamp, the user ID of the verifier, the weighting of the status of the audit activity and a justification. In order not to manipulate the scanning activities, it is not possible to modify data stored once.
The SU10 transaction, as the user administrator, helps you maintain bulk user master records. You can now also select the user data by login data. You're probably familiar with this. You have blocked users, for example, so that a support package can be included. Some users, such as administrators, are not affected. For collective unlocking, you only want to select users with an administrator lock. The mass maintenance tool for users in the transaction SU10 is available for this purpose. This transaction allows you to select by user and then perform an action on all selected users. Until now, users could only be selected by address data and permission data.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
To install this extension, you will need a kernel patch.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
However, there are also organisational fields that are only relevant for the respective module.