Displaying sensitive data
Lock Inactive Users
Alternatively, the maintenance of the authorization objects can also be called up via transaction SU21 (report RSU21_NEW). On the left side the individual classes and objects can be selected around then to the authorization object the existing authorization fields and short descriptions as well as over the button "documentation to the object indicate" also the documentation to the object to be called can.
Since the introduction of the security policy in SAP NetWeaver 7.31, this report has changed. In older releases, instead of the security policy overview, a profile parameter selection page is offered in the report's startup screen. If you select Show Profile Parameters in this selection view, you will see an overview of the Profile Parameters settings in the upper half of the screen. Here you should pay particular attention to the setting of the parameter login/no_ automatic_user_sapstar and check its setting even after the switch to the security policy.
Starting Web Dynpro ABAP applications
If a user does not have a print permission for an output device (S_SPO_DEV privilege object), an instant print flag may be rescinded, which means that a spool job created during the job step would not print immediately. If archive parameters are passed when scheduling a step, a check is performed on the object S_WFAR_PRI. If the Step user does not have a matching permission, an error message is displayed.
The first line defines that access to all files is forbidden unless other settings have been made for them in the other lines. The asterisk (*) is in the first place here and in this case for all files and paths. If the asterisk is in a different position, it is interpreted as part of the file name, which is not allowed in Microsoft Windows, for example. In our example table, setting the switches FS_NOREAD = X and FS_NOWRITE = X for all paths prohibits reading and writing. This makes the table a white list. This is preferable to a black list for security reasons. SPTH, on the other hand, becomes a Black List if you remove the first line with PATH = * in our example or if you do not set any of the switches FS_NOREAD, FS_NOWRITE or FS_BRGRU. The second line with PATH = /tmp allows read and write access for all files starting with /tmp, similar to a permission value /tmp*, as an exception to the access ban defined in the first line for all files and paths. This setting is not limited to subdirectories, but includes, for example, all files whose name starts with /tmp-xy. The third line with PATH = /tmp/myfiles defines a permission group with FS_BRGRU = FILE, triggering the subsequent permission check on the S_PATH object. The SAVEFLAG = X switch defines that these files will be included in a backup procedure; however, this is not relevant for the permission award.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
Various tools are available on the market for this purpose.
Key users should be able to access certain reports regularly, but only read information relevant to their work.