SAP Security Concepts
Maintain permission values using trace evaluations
You are using the SAP_ALL profile for interface users, and after upgrading to a new Support Package, do you get permission errors? While we cannot recommend using the SAP_ALL profile, we describe how you can resolve this problem in the short term. In newer SAP NetWeaver releases, the SAP_ALL profile no longer contains permissions for the S_RFCACL authorization object. This can lead to permission errors, such as for interface users who have the SAP_ALL profile assigned to them. Please note that we can only recommend using the SAP_ALL profile for absolute emergency users. Therefore, instead of applying this tip, you should preferably clear the permissions of your interface users. To learn how to do this, see Tip 27, "Define S_RFC permissions using usage data." However, such a cleanup of the privileges of your interface users cannot happen overnight. Therefore, we will explain how to resolve the issue in the short term.
The goal of an authorization concept is to provide each user with the appropriate authorizations in the system individually for their tasks according to a previously defined rule. For this purpose, an authorization concept must be defined as the foundation for efficient authorization assignment. In this way, each employee is given system access through the role-specific assignment of authorizations according to his or her tasks. On the one hand, this protects sensitive information and, on the other, prevents damage caused by incorrect use of data.
Unclear objectives and lack of definition of own security standards
The next step is to evaluate the usage data; here the monthly aggregates are typically sufficient. These include the user ID, function block, and number of calls. For an overview of the usage data already stored in the system, see the SWNC_COLLECTOR_GET_DIRECTORY function block (GET_DIR_FROM_CLUSTER = X input parameter). The actual downloading of the usage data is then performed using the function block SWNC_COLLECTOR_GET_AGGREGATES.
However, a full SAP security audit does not end here. In addition, the auditor examines whether the four important concepts of SAP Security, namely the data ownership concept, the proprietary development concept, the authorization concept and the emergency user concept, meet the requirements. Each of them should represent a fully formulated document that, on the one hand, contains all the target specifications for the respective topic and, on the other hand, is consistent with the actual state found during the audit.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
In order not to manipulate the scanning activities, it is not possible to modify data stored once.
In practice, therefore, support staff often help themselves by asking the user to send a screenshot of the transaction SU53.