Permissions checks
Features of the SAP authorization concept
For table logging, it must be ensured that SAP® Note 112388 (tables requiring logging) is fully implemented and that all tables containing financially relevant data are also included in the logging. Of course, this also applies to all Z-tables! As last point of the important parameter settings are those for the definition of the password settings. Here, it should be ensured that the parameters are also set up in accordance with the company's specifications. However, the check should not only focus on the global settings that are valid for all users, but should also include all those users who have been assigned their own security policies. Especially for these, an appropriate justification must be available in writing.
Both solutions offer you the added value of centralised reporting of existing users, newly created users, and role assignments. You can also extend the integrated workflows of both solutions to HANA permission applications. This enables you to use the risk analysis of the SAP Access Control solution also in relation to critical HANA permissions.
Concept for in-house developments
The first step to eliminating sprawl in permissions is to prevent it. To do this, administrators should obtain an overview and the assigned authorizations should be checked regularly. This helps to identify problems and incorrectly assigned authorizations at an early stage. The workload monitor can help here. This shows which authorizations users are actually using. The use of authorizations can be analyzed selectively and exported to tables. This also helps to improve existing roles and to create new roles for the authorization model in SAP.
Delete invalid SU24 Checkmarks: This function deletes all records that contain an unknown value as a check mark. This is either C (Check) or N (Do Not Check).
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
Now comes an important step: Replace the values you entered during the recording with a placeholder, a so-called input parameter.
The determination works via a so-called authorization profile.