Further training in the area of authorization management
SAP Note 1707841 ships an extension to the system trace in the STAUTHTRACE transaction, which enables the permission trace to be used on all or on specific application servers. To select the application servers on which to start the trace, click the System Trace button. Now select the application servers in the list on which you want to run the system trace and start the trace with a click on Trace. In the evaluation of the Permission trace, an additional column named Server Name appears, showing you the name of the application server on which the respective permission checks were logged.
Object Privileges: Object Privileges are SQL permissions that control access to and modification of database objects (as a whole). The type of object (table, view, procedure) determines which database operations can be authorised. Database operations include SELECT, UPDATE, ALTER, DROP, and DEBUG.
When considering the security of SAP transport landscapes, it is not only the production system that is relevant for auditing. The other systems, including the development systems, must also be included in the risk considerations. The SAP_ALL profile is still frequently used there instead of concrete roles. This article identifies the main risk areas.
An SAP security check focuses in particular on the assignment of authorizations. This is what enables users to work with the SAP system in the first place, but it can, under certain circumstances, unintentionally add up to conflicts over the separation of functions or even legally critical authorizations. For this reason, tools for technical analysis must be used regularly to provide the status quo of authorization assignment and thus the basis for optimization.
With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.
However, they will lead to greater transparency and security.
A likely result is that you do not have to use all technical organisational features for differentiation.