Unclear objectives and lack of definition of own security standards
Add New Organisation Levels
The SAP authorization concept must generally be created in two versions: for the ABAP stack and for the Java stack. Which roles are required, which role may call which SAP functions, and other conceptual issues are identical. However, there are fundamental differences between the two versions.
Your system has inactive users? This is not only a security risk, as they often use an initial password, but also creates unnecessary licence costs. There will always be inactive users in your SAP system. There may be several reasons for this. For example, they may be management level users that are virtually unused because they are not using the ERP system. It could also be that employees no longer use their SAP user due to a change of position or that outsiders do not work on the SAP system for a while. In any case, you should ensure that these inactive users are either blocked or invalidated. Up to now, you had to select all inactive users with the help of the RSUSR200 report and then manually transfer them into the SU10 transaction to perform the blocking. You can now do this automatically.
Set up permissions to access specific CO-PA measures
You should not grant large permissions for the SCC4 and SE06 transactions to internal and external auditors, just so that they can see the system modifiability. We present the report, which only requires the permissions a auditor usually has to view the system modifiability. There are several people who want to view the system modifiability settings in your system for specific reasons. These can be internal auditors, auditors or developers. The display of these settings, e.g. via the SCC4 or SE06 transactions, is not in itself critical; However, this has previously required permissions that are not usually assigned to the group of people just described. Since SAP NetWeaver 7.0, there is also a report that shows the system modifiability settings. This report requires only viewing permissions that can be assigned to the above-described group without any concerns. We present the application of this report and the required permissions here.
The topic-related audit structures are created based on area menus. On the one hand, SAP default audit structures are offered, and on the other hand, you have the possibility to create custom audit structures as area menus. The advantage of the audit structures as area menus is that you can use existing area menus or simply create new area menus. The SE43 transaction gives you an overview of the existing area menus; It is also used to maintain and transport area menus.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
The sample function module BTE for the event 1650 can be found in the FIBF transaction in the area of Publish-&-Subscribe interfaces (Environment > Information System (P/S)).
Avoid this by basically enabling table logging and then setting logging for specific additional tables.